How to depict two line graphs on a timechart which represend two different time periods one on top of the other

Question

How to depict two line graphs on a timechart which represend two different time periods one on top of the other

Ev s 50

Hi all,

I am trying to create a timechart on a Sentinel workbook on which I will be representing the comparison of count per hour per application between 2 different days.

The main goal and the challenge here is, how to stack the counts for each application for the two different days on top of each other. Since the time period is different, naturally, the counts will be shifted to that axis which maps to that time.

I am thinking, how it would be that I take the results for the other day, and hack them so they seem as if they came on the same time period, and renaming the app count results so I can differentiate them.

Below is the initial code that will do the count per app, but not the stacking over the same timeperiod as I wish.

union isfuzzy = true
(
CommonSecurityLog
| where DeviceVendor == "myapp" and TimeGenerated >= startofday(now(),-2) and TimeGenerated <= endofday(now(),-2) 
// results from 2 days ago
| summarize count() by ApplicationProtocol, bin(TimeGenerated,1h)
| render timechart
)
,
(
CommonSecurityLog
| where DeviceVendor == "myapp" and TimeGenerated >= startofday(now(),-1) and TimeGenerated <= endofday(now(),-1) // results from previous day
| summarize count() by ApplicationProtocol, bin(TimeGenerated,1h)
| render timechart
)

Any help towards the right direction is appreciated.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-08-26T06:33:23.8933333+00:00

@Ev s Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Accepted answer

0 additional answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-08-26T06:33:23.8933333+00:00

@Ev s Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

Clive Watson 7,866 MVP Volunteer Moderator

One approach is this

union isfuzzy = true
(
SigninLogs
| where TimeGenerated between ( startofday(now(),-2) .. endofday(now(),-2) ) // results from previous day -2
| summarize prev_2=count() by UserPrincipalName, bin(TimeGenerated,1h)
)
,
(
SigninLogs
| where TimeGenerated between ( startofday(now(),-1) .. endofday(now(),-1) ) // results from yesterday
| summarize prev_1=count() by UserPrincipalName, bin(TimeGenerated,1h)
)
| order by TimeGenerated asc 
// manipulate TimeGenerated, so that only one day is used
| extend TimeGenerated = iif (isnotempty(prev_2), TimeGenerated = TimeGenerated +1d, TimeGenerated)
| summarize by prev_1, prev_2, TimeGenerated
| render timechart

I used Signinlogs as an example

User's image

I think I prefer a columnchart, but a timechart works almost as well
User's image

Ev s 50

That worked like a charm ! Cheers Clive ! EDITED SECTION BEGINS

I correct myself. Although I can see the total counts, this way, I cannot see the breakdown by Application. Assuming that it might be the result of a naming clash, I tried to manipulate the name of each application and present the counts on the timechart. However, I was unsuccessful.

Below is my attempt. Any ideas?

union isfuzzy = true
(
CommonSecurityLog
| where DeviceVendor == "myapp" and  DeviceAction != "blocked" and TimeGenerated >= startofday(now(),-2) and TimeGenerated <= endofday(now(),-2) 
// results from 2 days ago
//| where SourceIntf has_any ( ) // To be filled by Boots
| summarize prev48hrs = count() by ApplicationProtocol, bin(TimeGenerated,1h)
| extend ApplicationProtocol = strcat(ApplicationProtocol,"prev_48hrs")
)
,
(
CommonSecurityLog
| where DeviceVendor == "myapp" and  DeviceAction != "blocked" and TimeGenerated >= startofday(now(),-1) and TimeGenerated <= endofday(now(),-1) 
// results from 2 days ago
| summarize prev24hrs = count() by ApplicationProtocol, bin(TimeGenerated,1h)
| extend ApplicationProtocol = strcat(ApplicationProtocol,"prev_24hrs")
)
| extend TimeGenerated = iif (isnotempty(prev48hrs), TimeGenerated = TimeGenerated +1d, TimeGenerated)
| summarize  sum(prev24hrs), sum(prev48hrs) by  ApplicationProtocol, TimeGenerated
| render timechart

Clive Watson 7,866 Reputation points MVP Volunteer Moderator

2024-09-09T08:28:56.18+00:00

Unfortunately my method doesn't work when you add in the application name, I will see if I can think of a workaround

Share via

How to depict two line graphs on a timechart which represend two different time periods one on top of the other

0 additional answers

Your answer