Azure Log Analytics: Azure Sentinel Queries

19/07/2019

I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this.

Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods.

Event | summarize count() by EventID, RenderedDescription | sort by count_ desc

// or

Event
| where EventID == 4001

Sometimes you may need to look at a range of EventIDs – in that case the string operator IN is useful

SecurityEvent | where EventID in (4648, 4688, 8002)

What can be useful is turning the EventID into a string, that allows us to compare and filter – this example uses all EventIDs that start with “47”

SecurityEvent | where tostring(EventID) startswith "47" | summarize count() by EventID , Activity

Example:

Event Ids that start with 47

The final method is using RegEx to filter on EventIDs that start with “47” followed up 2 integers in the range 0-9 (you can of course adjust those ranges for extra filtering).

let myEventID = "47[0-9][0-9]"; SecurityEvent | where tostring(EventID) matches regex myEventID | summarize count() by EventID

Run the last query here

PublishedFeb 28

Updated Microsoft 365 security and compliance guidance for the UK public sector
PublishedJan 26

Driving AI transformation with the Microsoft commercial marketplace
PublishedJan 26

Optimising business operations through AI-powered solutions
PublishedJan 26

Safeguarding your business with AI-powered security solutions

Azure Log Analytics: Azure Sentinel Queries

Related posts

Explore Microsoft industry solutions

Related posts

Updated Microsoft 365 security and compliance guidance for the UK public sector

Driving AI transformation with the Microsoft commercial marketplace

Optimising business operations through AI-powered solutions

Safeguarding your business with AI-powered security solutions