Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
summarize
Summarize
Kusto
Definition
The `summarize` operator in KQL (Kusto Query Language) aggregates data into groups and computes statistics across those groups. It takes a large set of rows and collapses them into a smaller, summarized result based on conditions you define. If you've ever needed to answer "how many times did this happen, grouped by user or IP?" — that's a `summarize` query. ### Basic Syntax ```kql TableName | summarize AggregationFunction() by Column ``` ### Common Aggregation Functions | Function | What It Does | |---|---| | `count()` | Total number of rows in each group | | `dcount(Column)` | Count of distinct values in a column | | `sum(Column)` | Sum of numeric values | | `avg(Column)` | Average of numeric values | | `min(Column)` / `max(Column)` | Smallest or largest value in a group | | `make_set(Column)` | Collects distinct values into a list | | `make_list(Column)` | Collects all values (including duplicates) into a list | | `countif(Condition)` | Counts rows matching a specific condition | | `arg_max(Column, *)` | Returns the row where a column is at its maximum |
Explore More Terms
Contains
Dlp
Phishing
Nmap
Cyber Kill Chain
Examples & Use Cases
**Count failed logons per account** ```kql SecurityEvent | where EventID == 4625 | summarize FailedAttempts = count() by TargetUserName | sort by FailedAttempts desc ``` **Count distinct source IPs per user** ```kql SigninLogs | summarize UniqueIPs = dcount(IPAddress) by UserPrincipalName | where UniqueIPs > 5 ``` **List all processes run by a user** ```kql DeviceProcessEvents | where AccountName == "jsmith" | summarize ProcessList = make_set(FileName) by AccountName ``` **Find accounts with logons from multiple countries** ```kql SigninLogs | summarize Countries = dcount(Location), LocationList = make_set(Location) by UserPrincipalName | where Countries > 1 ``` **Summarize by time bucket — activity per hour** ```kql SecurityEvent | where EventID == 4624 | summarize LogonCount = count() by bin(TimeGenerated, 1h), Computer | sort by TimeGenerated desc ``` ### Further Reading - [Microsoft Docs — summarize operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/summarizeoperator) - [Microsoft Docs — Aggregation Functions](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/aggregation-functions)
.png)
