Microsoft Sentinel - See collected Event IDs per Computer

Thomas Cox · ‎Mar 01 2023

Hey!

Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs:

Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn

Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected:

SecurityEvent
| summarize count() by Activity

Any pointers would be appreciated!

Thomas Cox · ‎Mar 01 2023

This might be the answer:

Security Event
| distinct Computer, EventID

Thomas Cox · ‎Mar 02 2023

@Thomas Cox

An alternative method

SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

Thomas Cox · ‎Mar 02 2023

That is much neater than having to stitch the data together! Thank you.

Thomas Cox · ‎Mar 02 2023

@Thomas Cox

An alternative method

SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

View solution in original post

Microsoft Sentinel - See collected Event IDs per Computer

Microsoft Sentinel - See collected Event IDs per Computer

Re: Microsoft Sentinel - See collected Event IDs per Computer

Re: Microsoft Sentinel - See collected Event IDs per Computer

Re: Microsoft Sentinel - See collected Event IDs per Computer

Re: Microsoft Sentinel - See collected Event IDs per Computer

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Microsoft Sentinel - See collected Event IDs per Computer