I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this.
Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods.
Event
| summarize count() by EventID, RenderedDescription
| sort by count_ desc
// or
Event
| where EventID == 4001
Sometimes you may need to look at a range of EventIDs – in that case the string operator IN is useful
SecurityEvent
| where EventID in (4648, 4688, 8002)
What can be useful is turning the EventID into a string, that allows us to compare and filter – this example uses all EventIDs that start with “47”
SecurityEvent
| where tostring(EventID) startswith "47"
| summarize count() by EventID , Activity
Example:
The final method is using RegEx to filter on EventIDs that start with “47” followed up 2 integers in the range 0-9 (you can of course adjust those ranges for extra filtering).
let myEventID = "47[0-9][0-9]";
SecurityEvent
| where tostring(EventID) matches regex myEventID
| summarize count() by EventID
Run the last query here