Unique Actions

# Summary Rules - Unique Actions ## Query Information #### Description This summary rule saves all unique actions and how often they appear in your environment to the custom table or your choice. This allows for easy retrieval of statistics and trends on how many unique actions are found in the environment each day. **Recommended Schedule:** 24 hours. **Recommended Delay:** 60 minutes. #### References - https://learn.microsoft.com/en-us/azure/sentinel/summary-rules ## Sentinel ```KQL let StartDate = startofday(ago(1d)); let EndDate = startofday(now()); union * | extend Action = coalesce(Operation, OperationName, OperationNameValue, ActionType) | where isnotempty(Action) | summarize TotalEvents = count() by Type, Action | extend RetrievalDate = StartDate | sort by Type ```

Explanation

This query is designed to collect and save all unique actions that occur in your environment, along with how frequently they happen, into a custom table. This helps in easily tracking statistics and trends of unique actions on a daily basis.

Key Points:

Time Frame: The query looks at data from the start of the previous day to the start of the current day.
Action Identification: It identifies actions using various fields (Operation, OperationName, OperationNameValue, ActionType).
Data Aggregation: It counts the total number of events for each unique action and groups them by their type.
Storage: The results include a timestamp (RetrievalDate) indicating when the data was collected.
Sorting: The results are sorted by the type of action.

Recommended Usage:

Schedule: Run this query every 24 hours.
Delay: Wait for 60 minutes before running the query to ensure all data is available.

This setup helps in maintaining a daily log of unique actions and their frequencies, which can be useful for monitoring and analyzing trends over time.

KQL Search

Query

Explanation

Key Points:

Recommended Usage:

Details

Actions