Jan 18 2022 01:51 AM
Hey!
I hope you're all doing well!
I've been working with a monthly report with Sentinel and PowerBI - and I've been trying to get a "User EPS Count". This would be a KQL statement that looks at the last 30 days of events, and searches based on a user? For example User1 has an average of 6000 events linked to their account in a month, and User 2 has 3000 events etc.
Is this possible in KQL or do I have to do make a few searches and correlate based around that?
TIA
Jan 18 2022 03:57 AM
@CharlieK95 There was a very similar question regarding EPS a while ago (maybe in the last week) so you can find a good query there.
As far as mapping the users, you would need to have the MS Sentinel queries auditing feature enabled. Go to this page for more information: Audit Microsoft Sentinel queries and activities | Microsoft Docs
Feb 01 2022 01:47 AM
Feb 01 2022 02:24 AM - edited Feb 01 2022 02:25 AM
SolutionSomething like this?
SecurityEvent
| where TimeGenerated > ago( 1h)
| summarize EventCount=count() by TargetAccount
| extend EPSCount = EventCount/60/60
Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount
Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need
Jun 08 2022 04:08 AM
Can anybody tell me how can we create any dashboard for "events per second" tiles on dashboard ?
Jun 09 2022 01:00 AM
Feb 01 2022 02:24 AM - edited Feb 01 2022 02:25 AM
SolutionSomething like this?
SecurityEvent
| where TimeGenerated > ago( 1h)
| summarize EventCount=count() by TargetAccount
| extend EPSCount = EventCount/60/60
Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount
Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need