KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Usage Latest

Query

// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector
// The calculation is done as following:
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents'
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents"
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client
// 4 finally 'uniion' all tables

let xagotime = 32d;
let xstarttime = 31d;
// File Events
let xDeviceFileEvents  = Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceFileEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceFileEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
  | extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// Process Events
let xDeviceProcessEvents = Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceProcessEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceProcessEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// logon events
let xDeviceLogonEvents =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceLogonEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceLogonEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
 // Registry Events
let xDeviceRegistryEvents =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceRegistryEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceRegistryEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
  // Network Events
 let xDeviceNetworkEvents =   Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceNetworkEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceNetworkEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// Device Network Info
let xDeviceNetworkInfo =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceNetworkInfo"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceNetworkInfo
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// Device Info 
let xDeviceInfo =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceInfo"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceInfo
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// Image load events
let xDeviceImageLoadEvents =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceImageLoadEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceImageLoadEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// Device Events
let xDeviceevents =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceEvents"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceEvents
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// File Cert Info
let xDeviceCertInfo =  Usage 
| where TimeGenerated > ago(xagotime)
| where Solution contains "SecurityInsights"
| where DataType == "DeviceFileCertificateInfo"
| where StartTime >= startofday(ago(xstarttime)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType 
| join (DeviceFileCertificateInfo
| where TimeGenerated > ago(xagotime)
| summarize TotalDevices = dcount(DeviceId) by bin(TimeGenerated,1d))
 on $left.StartTime == $right.TimeGenerated 
| extend AverageMBClient = BillableDataGB / TotalDevices * 1000;
// bring all together
union xDeviceCertInfo, xDeviceevents, xDeviceImageLoadEvents, xDeviceInfo, xDeviceLogonEvents, xDeviceNetworkEvents, xDeviceNetworkInfo, xDeviceProcessEvents, xDeviceRegistryEvents, xDeviceFileEvents
// calculate avg per device per data type per day
| summarize AvgMBClient = sum(AverageMBClient) by bin(TimeGenerated,1d) , DataType
| render columnchart

Explanation

This KQL query is designed to calculate the average data size in megabytes (MB) sent per client to Azure Sentinel from Microsoft Defender for Endpoint using the M365 Defender connector. Here's a simplified breakdown of what the query does:

  1. Data Collection: The query collects usage data from various tables (like DeviceFileEvents, DeviceProcessEvents, etc.) within a specified time range (32 days ago to 31 days ago).

  2. Data Processing:

    • For each data type (e.g., DeviceFileEvents, DeviceProcessEvents), it calculates the total billable data in gigabytes (GB) per day.
    • It also counts the total number of unique devices that submitted data for each data type per day.

  3. Average Calculation:

    • It calculates the average data size in MB sent per client by dividing the total billable data by the number of devices and converting it to MB.

  4. Combining Results:

    • The results from all data types are combined using the union operator.

  5. Final Aggregation:

    • It summarizes the average MB sent per client per data type per day.

  6. Visualization:

    • The final result is rendered as a column chart to visualize the average data size sent per client for each data type over time.

Overall, this query provides insights into the data volume being sent by each client for different types of events, helping to understand data usage patterns and potentially optimize data handling and costs.

Details

Alex Verboon profile picture

Alex Verboon

Released: February 5, 2025

Tables

UsageDeviceFileEventsDeviceProcessEventsDeviceLogonEventsDeviceRegistryEventsDeviceNetworkEventsDeviceNetworkInfoDeviceInfoDeviceImageLoadEventsDeviceEventsDeviceFileCertificateInfo

Keywords

DevicesSecurityInsightsUsageDataTypeDeviceIdTimeGeneratedStartTimeEndTimeQuantityBillableDataGBTotalDevicesAverageMBClientDeviceFileEventsDeviceProcessEventsDeviceLogonEventsDeviceRegistryEventsDeviceNetworkEventsDeviceNetworkInfoDeviceInfoDeviceImageLoadEventsDeviceEventsDeviceFileCertificateInfo

Operators

letwherecontainsagostartofdaynowsummarizesumbinbyjoinonextenddcountunionrender

Actions