Mar 01 2023 09:03 AM
Hey!
Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs:
Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn
Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected:
SecurityEvent
| summarize count() by Activity
Any pointers would be appreciated!
Mar 01 2023 09:10 AM
Mar 02 2023 12:41 AM
Solution
An alternative method
SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer
Mar 02 2023 01:31 AM
Mar 02 2023 12:41 AM
Solution
An alternative method
SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer