Query Details
LA Query Usersvs Automation Query Stats
Query
//Visualizes queries against your log analytics workspace categorized by users and service principals //Data connector required for this query - Log Analytics diagnostic settings enabled on your Sentinel workspace let timeframe=45d; LAQueryLogs | where TimeGenerated > ago (timeframe) | summarize Users=countif(isnotempty(AADEmail)), Playbooks=countif(isempty(AADEmail)) by bin(TimeGenerated, 1d) | render columnchart with (kind=unstacked, ytitle="Queries Run", title="Queries Run - Users vs Playbooks")
Explanation
This query visualizes the queries made in your log analytics workspace, categorizing them by users and service principals. It requires a data connector, specifically Log Analytics diagnostic settings enabled on your Sentinel workspace. The query looks at the logs generated in the past 45 days and summarizes the number of queries run by users and playbooks each day. The results are then rendered as a column chart, showing the comparison between queries run by users and playbooks.
Details
Matt Zorich
Released: June 17, 2022
Tables
LAQueryLogs
Keywords
Keywords:LAQueryLogs,TimeGenerated,ago,summarize,Users,countif,isnotempty,AADEmail,Playbooks,isempty,bin,render,columnchart,kind,unstacked,ytitle,title
Operators
lettimeframe=45dLAQueryLogswhereTimeGenerated>agosummarizeUsers=countif(isnotemptyAADEmail)Playbooks=countif(isemptyAADEmail)bybin(TimeGenerated1d)rendercolumnchartwith(kind=unstackedytitle="Queries Run"title="Queries Run - Users vs Playbooks")