KQL Search

Query Details

EP Sfor M365advanced Tables

Query

//Getting average EPS and estimated GB per table for the M365 Advanced tables. Run this in Advanced Hunting at security.microsoft.com


let bytes_ = 500;
union withsource=MDTables*
| where Timestamp > startofday(ago(1d))
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ /60
|summarize avg(EPS), estimatedGBytes = (avg(EPS) * bytes_ ) / (1024*1024*1024) by MDTables
| sort by toint(estimatedGBytes) desc

Explanation

This query is used to calculate the average EPS (Events Per Second) and estimated gigabytes per table for the M365 Advanced tables. It retrieves data from the MDTables, filters it based on a specific time range, and then calculates the EPS and estimated gigabytes for each table. The results are sorted in descending order based on the estimated gigabytes.

Details

Rod Trent

Released: December 6, 2021

Tables

MDTables

Keywords

Devices,Intune,User

Operators

unionwithsourcewheresummarizecount()bybin()extendavg()estimatedGBytessort bytoint()

KQL Search

EP Sfor M365advanced Tables

Query

Explanation

Details

Actions