Skip to content
Microsoft Industry Blogs - United Kingdom

I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this.

Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods.


Event
| summarize count() by EventID, RenderedDescription
| sort by count_ desc

// or

Event
| where EventID == 4001

Sometimes you may need to look at a range of EventIDs – in that case the string operator IN is useful


SecurityEvent
| where EventID in (4648, 4688, 8002)

What can be useful is turning the EventID into a string, that allows us to compare and filter – this example uses all EventIDs that start with “47”


SecurityEvent
| where tostring(EventID) startswith "47"
| summarize count() by EventID , Activity

Example:

Event Ids that start with 47

The final method is using RegEx to filter on EventIDs that start with “47” followed up 2 integers in the range 0-9 (you can of course adjust those ranges for extra filtering).


let myEventID = "47[0-9][0-9]";
SecurityEvent
| where tostring(EventID) matches regex myEventID
| summarize count() by EventID

Run the last query here