Forum Discussion
Solved
Microsoft Sentinel - See collected Event IDs per Computer
Hey!
Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs:
https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected:
SecurityEvent
| summarize count() by Activity
Any pointers would be appreciated!
An alternative method
SecurityEvent | summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer
3 Replies
- This might be the answer:
Security Event
| distinct Computer, EventIDAn alternative method
SecurityEvent | summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer- That is much neater than having to stitch the data together! Thank you.
