Forum Discussion

CharlieK95's avatar
CharlieK95
Copper Contributor
Jan 18, 2022
Solved

User Events Per Second KQL

Hey!   I hope you're all doing well! I've been working with a monthly report with Sentinel and PowerBI - and I've been trying to get a "User EPS Count". This would be a KQL statement that looks at...
  • m_zorich's avatar
    m_zorich
    Feb 01, 2022

    Something like this?
    SecurityEvent
    | where TimeGenerated > ago( 1h)
    | summarize EventCount=count() by TargetAccount
    | extend EPSCount = EventCount/60/60

    Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount

    Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need

CharlieK95's avatar
CharlieK95
Copper Contributor
Feb 01, 2022
Hi Gary,

Thanks for your response,
I've tried the below, which has brought me the list of users, however I can't quite figure out how to pull their events with them. Is there a way I can make another column in the results, with their events per second, tied to that user account?

SecurityEvent
| where TimeGenerated > ago(1h)
| where TargetAccount has "<customername>"


Many thanks,
C
m_zorich's avatar
m_zorich
Iron Contributor
Feb 01, 2022

Something like this?
SecurityEvent
| where TimeGenerated > ago( 1h)
| summarize EventCount=count() by TargetAccount
| extend EPSCount = EventCount/60/60

Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount

Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need

Resources