Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Visualize Top 100 Users That Have The Most Interactive Sign-ins

Wayne Andes 4 min read

Description

This KQL query visualizes the top 100 users that have performed the most interactive sign ins.

Query

Microsoft Defender For Endpoint
Kusto
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")

Microsoft Sentinel
Kusto
IdentityLogonEvents
| where LogonType == 'Interactive'
| where isempty(FailureReason)
| distinct AccountUpn, DeviceName
| summarize TotalUniqueInteractiveSignIns = count() by AccountUpn
| top 100 by TotalUniqueInteractiveSignIns
| render columnchart with (title="Top 100 users that have the most interactive sign ins")

You May Also Like

Detect Scattered Spider Defense Evasion via Conditional Access Policies

Wayne Andes

Hunt For Malicious HTTP Traffic

Wayne Andes

List User Account Added To Sudoers Group

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *