SOLVED

Microsoft Sentinel - See collected Event IDs per Computer

Copper Contributor

Hey! 

 

Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs: 

Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn

 

Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected: 

 

SecurityEvent
| summarize count() by Activity

 

Any pointers would be appreciated! 

3 Replies
This might be the answer:

Security Event
| distinct Computer, EventID

best response confirmed by Thomas Cox (Copper Contributor)
Solution

@Thomas Cox 

 

An alternative method

SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

 

Clive_Watson_0-1677746374789.png

 

That is much neater than having to stitch the data together! Thank you.
1 best response

Accepted Solutions
best response confirmed by Thomas Cox (Copper Contributor)
Solution

@Thomas Cox 

 

An alternative method

SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

 

Clive_Watson_0-1677746374789.png

 

View solution in original post