Query Details

Top 100 users that have the most interactive sign ins

Visualization Most Interactive Sign Ins By User

Query

IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")

About this query

Top 100 users that have the most interactive sign ins

Query Information

Description

Visualize the top 100 users that have performed the most interactive sign ins.

Defender XDR

Sentinel

IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")

Explanation

This query is designed to identify and visualize the top 100 users who have successfully logged in interactively the most times. Here's a simple breakdown of what the query does:

  1. Data Source: The query pulls data from a table called IdentityLogonEvents.

  2. Filter for Interactive Logins: It filters the data to only include logon events where the LogonType is 'Interactive'. This means it focuses on logins where a user physically interacts with the device, like logging in at a computer terminal.

  3. Exclude Failed Logins: It further filters out any logon events that have a FailureReason, ensuring only successful logins are considered.

  4. Identify Unique Logins: It identifies unique combinations of user accounts (AccountUpn) and devices (DeviceName) to ensure each login event is counted only once per user-device pair.

  5. Count Logins per User: It counts the number of unique interactive logins for each user (AccountUpn).

  6. Top 100 Users: It selects the top 100 users based on the number of unique interactive logins.

  7. Visual Representation: Finally, it creates a column chart to visually represent these top 100 users, with the chart titled "Top 100 users that have the most interactive sign ins".

This query is useful for understanding which users are most actively logging into systems interactively, which can be important for security monitoring and user behavior analysis.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityLogonEvents

Keywords

IdentityLogonEventsAccountUpnDeviceName

Operators

whereisemptydistinctsummarizecounttoprender

Actions

GitHub