I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this.

Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods.

| summarize count() by EventID, RenderedDescription
| sort by count_ desc

// or

| where EventID == 4001

Sometimes you may need to look at a range of EventIDs – in that case the string operator IN is useful

| where EventID in (4648, 4688, 8002)

What can be useful is turning the EventID into a string, that allows us to compare and filter – this example uses all EventIDs that start with “47”

| where tostring(EventID) startswith "47"
| summarize count() by EventID , Activity


Event Ids that start with 47

The final method is using RegEx to filter on EventIDs that start with “47” followed up 2 integers in the range 0-9 (you can of course adjust those ranges for extra filtering).

let myEventID = "47[0-9][0-9]";
| where tostring(EventID) matches regex myEventID
| summarize count() by EventID

Run the last query here