# Summarize and Render

## Summarize Operator

The `summarize` operator is used to aggregate security logs. As its name implies, it helps security analysts determine how the results are shown when identifying patterns, trends, and anomalies, which in turn helps generate actionable insights. The summarize operator organizes rows with similar values in the columns specified and calculates the aggregate for each of those columns.

The summarize operator is often combined with filter, sort, or visualization functions to provide meaningful insight into security events, alerts, telemetry data, and more.

### **Examples**

#### Using Summarize To Output the Count of EventID

The query below counts the number of security events by their respective EventIDs.

```session-shell
SecurityEvent
| summarize EventCount = count() by EventID
```

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FHJxwvnODpgjL9ZLLuj7r%2Fimage.png?alt=media&#x26;token=a2b3df7b-5f73-4c75-9e7f-7160febe8e4a" alt=""><figcaption></figcaption></figure>

#### Using Summarize To Output the Count of Different Activities

The query below calculates the count of different security activities and groups them by their activity type.

```session-shell
SecurityEvent
| summarize count() by Activity
```

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FGLBYywo5y2ajnIiULbzL%2F%7BEEA95EEB-9D23-461E-82F6-DAEBD2C57156%7D.png?alt=media&#x26;token=cebf7788-2184-4f52-b044-376a44b8a32d" alt=""><figcaption></figcaption></figure>

#### Using Summarize To Output the Count of Different Columns

This query searches the security event table for the past three days, where the event with ID 4648 occurred: "A login was attempted using explicit credentials." It returns the count, Process, Computer, and Account type.

```session-shell
SecurityEvent
| where TimeGenerated > ago(3days)
| where EventID == 4648
| summarize count() by Process, Computer, AccountType
```

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FxqDi0sXHC50bx2L6a58L%2F%7BFAC0B3E4-ED81-4803-9924-2E89453D2216%7D.png?alt=media&#x26;token=271c5201-6369-4e2a-863a-7c6967fb1ac0" alt=""><figcaption></figcaption></figure>

## Render Operator

The `render` operator is mainly used to visualize query results. It doesn't alter the output but instead creates a visual representation of the result within the query output.

A few important things to keep in mind about the render operator are:

* It must be the last operator in your KQL query.
* The query results should be in a single tabular data stream format.
* Supports various chart types:
  * Bar chart
  * Column chart
  * Pie chart
  * Area chart
  * Scatter chart
  * Time chart

### **Examples**

Using Render To Return a Query Result in a Pie Chart

The query uses the summarize operator to count the number of security events logged by the computer using the **SecurityEvent** table and the render operator to visualize the query results as a pie chart.

```session-shell
SecurityEvent
| summarize count() by Computer
| render piechart
```

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FQy10gB5twZ4aeNf20ntd%2F%7BAAAA3143-5E18-4816-8239-43D69DF29600%7D.png?alt=media&#x26;token=fc308723-01cc-41eb-98d4-fddb7222942d" alt=""><figcaption></figcaption></figure>

#### Using Render To Return a Query Result in a Bar Chart

This query uses a bar chart to visualize the average disk read bytes per second, aggregated by 1 hour.

```session-shell
Perf
| where CounterName == "Disk Read Bytes/sec"
| summarize AvgValue = avg(CounterValue) by bin(TimeGenerated, 1h)
| render barchart
```

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2F82ECFuN4XTuU66ggeM3D%2F%7BF667DB68-36DD-4A56-9390-1F14F060C626%7D.png?alt=media&#x26;token=829130e6-2d75-46ce-8443-aba2f4762a23" alt=""><figcaption></figcaption></figure>