Forum Discussion

CharlieK95's avatar
CharlieK95
Copper Contributor
Jan 18, 2022
Solved

User Events Per Second KQL

Hey!   I hope you're all doing well! I've been working with a monthly report with Sentinel and PowerBI - and I've been trying to get a "User EPS Count". This would be a KQL statement that looks at...
  • m_zorich's avatar
    m_zorich
    Feb 01, 2022

    Something like this?
    SecurityEvent
    | where TimeGenerated > ago( 1h)
    | summarize EventCount=count() by TargetAccount
    | extend EPSCount = EventCount/60/60

    Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount

    Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need

Vasgauta's avatar
Vasgauta
Copper Contributor
Jun 08, 2022

Can anybody tell me how can we create any dashboard for "events per second" tiles on dashboard ?

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jun 09, 2022

Vasgauta 

Simply press 'pin' to send the query to a Dashboard or a Workbook - then follow the steps 

 

Resources