Query Details
Line Numbers Serialize
Query
let timeframe = 1d; SecurityEvent | where TimeGenerated >= ago(timeframe) | where EventID in (4624, 4625) | where AccountType == 'User' | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName | extend timestamp = StartTimeUtc | serialize Num = row_number() //using the serialize operator to generate line numbers
Explanation
This query retrieves security events related to user logins within the past day. It filters the events based on specific event IDs and the account type being "User". The query then summarizes the start and end times of the events, as well as the total count, grouped by the type of logon. It also adds a timestamp column based on the start time. Finally, it uses the serialize operator to generate line numbers for the results.
Details
Rod Trent
Released: June 16, 2020
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
wherein==summarizeextendserialize