GitHub: HorrorClause

Summarize and Render

Summarize Operator

The summarize operator is used to aggregate security logs. As its name implies, it helps security analysts determine how the results are shown when identifying patterns, trends, and anomalies, which in turn helps generate actionable insights. The summarize operator organizes rows with similar values in the columns specified and calculates the aggregate for each of those columns.

The summarize operator is often combined with filter, sort, or visualization functions to provide meaningful insight into security events, alerts, telemetry data, and more.

Examples

Using Summarize To Output the Count of EventID

The query below counts the number of security events by their respective EventIDs.

SecurityEvent
| summarize EventCount = count() by EventID

Using Summarize To Output the Count of Different Activities

The query below calculates the count of different security activities and groups them by their activity type.

SecurityEvent
| summarize count() by Activity

Using Summarize To Output the Count of Different Columns

This query searches the security event table for the past three days, where the event with ID 4648 occurred: "A login was attempted using explicit credentials." It returns the count, Process, Computer, and Account type.

SecurityEvent
| where TimeGenerated > ago(3days)
| where EventID == 4648
| summarize count() by Process, Computer, AccountType

Render Operator

The render operator is mainly used to visualize query results. It doesn't alter the output but instead creates a visual representation of the result within the query output.

A few important things to keep in mind about the render operator are:

  • It must be the last operator in your KQL query.

  • The query results should be in a single tabular data stream format.

  • Supports various chart types:

    • Bar chart

    • Column chart

    • Pie chart

    • Area chart

    • Scatter chart

    • Time chart

Examples

Using Render To Return a Query Result in a Pie Chart

The query uses the summarize operator to count the number of security events logged by the computer using the SecurityEvent table and the render operator to visualize the query results as a pie chart.

SecurityEvent
| summarize count() by Computer
| render piechart

Using Render To Return a Query Result in a Bar Chart

This query uses a bar chart to visualize the average disk read bytes per second, aggregated by 1 hour.

Perf
| where CounterName == "Disk Read Bytes/sec"
| summarize AvgValue = avg(CounterValue) by bin(TimeGenerated, 1h)
| render barchart
PreviousUsing Let StatementsNextHTML

Last updated