Make-Series SparkLine

Copper Contributor

Hi All,

 

I'm trying to add a SparkLine column to my query to replicate the Trend line that's seen in some of the Sentinel Workbook templates:

Trend line conditional policy.PNG

The query I'm trying to add it to is simple, I'm looking at failed logons with the substatus for expired passwords:

union WindowsEventSecurityEvent

where EventID == 4625

where (Data.SubStatus) == 0xC0000071

    or SubStatus == 0xC0000071

extend UserInitiatingLogon_ = tostring(Data.SubjectUserName)

extend TargetUserName_ = tostring(Data.TargetUserName)

summarize NumberOfAttempts = count() by UserInitiatingLogon_TargetUserName_Computer

 

This works fine and returns the below:Query Without MakeSeries.png

When I add a 'make-series' statement to my query (TimeRange is set as a time picker earlier in the Workbook) as per the below I get an error:

union WindowsEventSecurityEvent

where EventID == 4625

where (Data.SubStatus) == 0xC0000071

    or SubStatus == 0xC0000071

extend UserInitiatingLogon_ = tostring(Data.SubjectUserName)

extend TargetUserName_ = tostring(Data.TargetUserName)

summarize NumberOfAttempts = count() by UserInitiatingLogon_TargetUserName_Computer

make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}{TimeRange:end}{TimeRange:grain}by UserInitiatingLogonTargetUsernameComputer

 

Query WITH makeseries error.PNG

 

Can anyone point me in the right direction? Thanks in advance!

1 Reply

Hi @Sam_SOC ,

The Summarize clause is the issue here - it keeps only the few fields that are explicitly mentioned (NumberOfAttempts, count, UserInitiatingLogon etc.) and TimeGenerated is not one of them. In fact, the summarize operation doesn't seem to be needed at all when you create a series, which is based on the TimeGenerated field. Without it, it works well.

To test, I've created a query very similar to yours:

let StartTime = ago(1d);
let EndTime = now();
union Event, SecurityEvent
| where EventID == 4625
| extend UserInitiatingLogon = tostring(SubjectUserName)
| extend TargetUserName = tostring(TargetUserName)
//| summarize NumberOfAttempts = count() by UserInitiatingLogon, TargetUserName, Computer
| make-series Trend = count() default = 0 on TimeGenerated in range(StartTime, EndTime, 1h) by UserInitiatingLogon, TargetUserName, Computer