Top 100 users that have the most interactive sign ins
Visualization Most Interactive Sign Ins By User
Query
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")About this query
Top 100 users that have the most interactive sign ins
Query Information
Description
Visualize the top 100 users that have performed the most interactive sign ins.
Defender XDR
Sentinel
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")
Explanation
This query is designed to identify and visualize the top 100 users who have successfully logged in interactively the most times. Here's a simple breakdown of what the query does:
-
Data Source: The query pulls data from a table called
IdentityLogonEvents. -
Filter for Interactive Logins: It filters the data to only include logon events where the
LogonTypeis 'Interactive'. This means it focuses on logins where a user physically interacts with the device, like logging in at a computer terminal. -
Exclude Failed Logins: It further filters out any logon events that have a
FailureReason, ensuring only successful logins are considered. -
Identify Unique Logins: It identifies unique combinations of user accounts (
AccountUpn) and devices (DeviceName) to ensure each login event is counted only once per user-device pair. -
Count Logins per User: It counts the number of unique interactive logins for each user (
AccountUpn). -
Top 100 Users: It selects the top 100 users based on the number of unique interactive logins.
-
Visual Representation: Finally, it creates a column chart to visually represent these top 100 users, with the chart titled "Top 100 users that have the most interactive sign ins".
This query is useful for understanding which users are most actively logging into systems interactively, which can be important for security monitoring and user behavior analysis.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators