KQL Search

Query Details

Visualization Most Interactive Sign Ins By User

Query

# Top 100 users that have the most interactive sign ins

## Query Information

#### Description
Visualize the top 100 users that have performed the most interactive sign ins.

### Defender For Endpoint

```
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")
```
### Sentinel
```
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")
```

Explanation

This query retrieves the top 100 users who have the highest number of interactive sign-ins. It filters the logon events for interactive sign-ins and excludes any events with failure reasons. It then counts the unique sign-ins for each user and displays the top 100 users in a column chart.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

IdentityLogonEvents

Keywords

IdentityLogonEvents,LogonType,FailureReason,AccountUpn,DeviceName,TotalUniqueInteractiveSignIns,render,columnchart,title

Operators

whereisemptydistinctsummarizetoprender

KQL Search

Visualization Most Interactive Sign Ins By User

Query

Explanation

Details

Actions