Query Details
Sysmon Events Storage Size
Query
//Sysmon Events by storage size by bytes Event | where Source == "Microsoft-Windows-Sysmon" | summarize count() by EventID | extend size_in_bytes = count_ * 500 | order by size_in_bytes desc
Explanation
This query is counting the number of Sysmon events and grouping them by their EventID. It then calculates the size of each event in bytes by multiplying the count by 500. Finally, it orders the events based on their size in descending order.
Details
Rod Trent
Released: January 7, 2021
Tables
Event
Keywords
Sysmon,Events,Storage,Size,Bytes
Operators
where==summarizecount()byextendorder bydesc