KQL Search

Query Details

HomeAI ToolsDevice Query

Example Activity Counts Metrics

Query

let query_frequency = 15m;
let query_period = 30m;
let threshold = 5;
...
| as _Events
| join kind=leftsemi (
    _Events
    // query_period should be 2 * query_frequency
    | evaluate activity_counts_metrics(Type, TimeGenerated, ago(query_period), now(), query_frequency, ColumnToSummarizeBy1, ColumnToSummarizeBy2, ColumnToSummarizeBy3)
    | summarize
        arg_min(PreviousTimeGenerated = TimeGenerated, PreviousCount = ["count"]),
        arg_max(CurrentTimeGenerated = TimeGenerated, CurrentCount = ["count"])
        by ColumnToSummarizeBy1, ColumnToSummarizeBy2, ColumnToSummarizeBy3
    | where CurrentTimeGenerated > ago(query_period)
    | extend PreviousCount = iff(PreviousTimeGenerated == CurrentTimeGenerated, 0, PreviousCount)
    | where (not(PreviousCount > threshold) and CurrentCount > threshold)
        or ((CurrentCount - PreviousCount) > threshold)
    ) on ColumnToSummarizeBy1, ColumnToSummarizeBy2, ColumnToSummarizeBy3
...

Explanation

The query is joining two sets of data based on specific columns. It first evaluates the activity counts within a specified time period and frequency, and then summarizes the data by finding the minimum and maximum counts for each combination of columns. It filters the results to include only those where the current count is greater than a threshold value, or the difference between the current count and previous count is greater than the threshold. Finally, it joins this filtered data with the original dataset based on the specified columns.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 22, 2023

Tables

_Events

Keywords

Devices,Intune,User

Operators

joinkind=leftsemievaluateactivity_counts_metricssummarizearg_minarg_maxbywhereextendnotoron

Actions