Microsoft Sentinel - See collected Event IDs per Computer

New Contributor



Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs: 

Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn


Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected: 


| summarize count() by Activity


Any pointers would be appreciated! 

3 Replies
This might be the answer:

Security Event
| distinct Computer, EventID

best response confirmed by Thomas Cox (New Contributor)

@Thomas Cox 


An alternative method

| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer




That is much neater than having to stitch the data together! Thank you.