Agent Foskett Academy • Lesson 10 • Using top to Find High-Volume Activity
Using top to Find High-Volume Activity
One user appeared more than everyone else.
One IP address kept returning.
One sender dominated the results.
The top operator helps defenders quickly rank noisy telemetry and find the highest-volume activity worth investigating first.
In this lesson, you will learn how to use top in KQL to surface busy users, IP addresses, devices, senders and suspicious investigation leads.
Lesson overview
Learn how to use top to rank security telemetry and quickly identify the most active users, IPs, devices, senders and domains.
Ranking high-volume activity
Finding noisy investigation leads
Combining summarize and top
Why top matters
Security telemetry can contain thousands of different users, devices, IP addresses, senders and domains.
During an investigation, you often need to know what appears the most.
The top operator returns the highest-ranking rows based on the column you choose, making it useful for quickly finding high-volume activity.
During an investigation, you often need to know what appears the most.
The top operator returns the highest-ranking rows based on the column you choose, making it useful for quickly finding high-volume activity.
Rank the noiseUse top to bring the busiest values to the top of the results.
Find investigation leadsHigh-volume users, IPs, devices or domains can become useful pivots for deeper hunting.
Prioritise reviewInstead of reading every row, start with the values generating the most activity.
The basic top pattern
top is used after you have a column that can be ranked, such as a count, timestamp, size or score.
- 1
- 2
- 3
- 4
SigninLogs | where TimeGenerated > ago(24h) | summarize SignInCount=count() by UserPrincipalName | top 10 by SignInCount
Plain-English translation:
Count sign-ins by user over the last 24 hours, then show the 10 users with the highest sign-in volume.
Count sign-ins by user over the last 24 hours, then show the 10 users with the highest sign-in volume.
Understanding top
top sorts results by the column you choose and returns only the number of rows you request.
top 10Return only the highest 10 rows based on the ranking column.
by SignInCountRank the results using the SignInCount column created by summarize.
Great after summarizetop is often most useful after you have counted or grouped activity.
Finding high-volume IP addresses
Repeated sign-ins from the same IP address may be normal infrastructure, a VPN, a proxy, or something more suspicious. top helps you quickly see which IP addresses appear the most.
- 1
- 2
- 3
- 4
SigninLogs | where TimeGenerated > ago(7d) | summarize SignInCount=count() by IPAddress | top 20 by SignInCount
High-volume IPsReview whether the busiest IP addresses are expected business infrastructure.
Investigation pivotUse suspicious IPs to search for affected users, devices and locations.
Do not assumeHigh volume is not automatically malicious, but it deserves context.
Finding top email senders
In email investigations, top can quickly show which senders or domains generated the most messages in a time period.
- 1
- 2
- 3
- 4
EmailEvents | where Timestamp > ago(7d) | summarize EmailCount=count() by SenderFromAddress | top 15 by EmailCount
Plain-English translation:
Count email events by sender and show the 15 senders with the highest email volume.
Count email events by sender and show the 15 senders with the highest email volume.
Finding top devices by process activity
Endpoint investigations can produce large volumes of process telemetry. Ranking devices by process activity can help identify noisy endpoints, scripted activity or devices involved in unusual behaviour.
- 1
- 2
- 3
- 4
DeviceProcessEvents | where Timestamp > ago(24h) | summarize ProcessEvents=count() by DeviceName | top 10 by ProcessEvents
Endpoint volumeIdentify devices generating unusually high process event counts.
Drill deeperAfter finding a device, pivot into FileName, command line and initiating process fields.
Context mattersBusy servers and management tools may be expected, but unknown spikes need review.
Using top with time windows
top becomes even more useful when combined with earlier lessons. You can group activity by time with bin(), count it with summarize, then rank the busiest windows.
- 1
- 2
- 3
- 4
- 5
SigninLogs | where TimeGenerated > ago(24h) | where ResultType != 0 | summarize FailedAttempts=count() by bin(TimeGenerated, 15m) | top 10 by FailedAttempts
Plain-English translation:
Find the 10 busiest 15-minute windows for failed sign-in activity during the last 24 hours.
Find the 10 busiest 15-minute windows for failed sign-in activity during the last 24 hours.
top vs order by
top and order by are related, but they are not used for exactly the same purpose.
Use top when asking:What are the highest-ranking results, and I only want a limited number of rows?
Use order by when asking:Sort all results so I can read them in a specific order.
Investigation tipUse summarize first, then top to quickly identify the busiest values.
Beginner mistakes with top
top is simple, but it works best when the ranking column is meaningful.
Using top before countingIf you want high-volume users or IPs, create a count first with summarize.
Ranking the wrong columnMake sure top is ranking by the column that answers your investigation question.
Ignoring normal behaviourThe busiest result may be legitimate. Always compare with business context.
Investigator mindset
High volume does not automatically mean compromise.
But it does tell you where to look first.
A noisy account, a repeated IP address, a dominant sender or a device producing unusual activity may reveal the next useful pivot in the investigation.
But it does tell you where to look first.
A noisy account, a repeated IP address, a dominant sender or a device producing unusual activity may reveal the next useful pivot in the investigation.
What is generating the most activity?Use top to quickly identify the busiest values in the dataset.
Is the volume expected?Compare the result with known systems, normal users and expected business patterns.
What should I investigate next?Use high-volume results as pivots for deeper KQL hunting.
What you learned
In this lesson, you learned how top helps defenders rank Microsoft security telemetry and quickly find the highest-volume values in an investigation.
top ranks resultsIt returns the highest-ranking rows based on the column you choose.
summarize creates useful countsUse summarize count() first when you want to rank users, IPs, devices, senders or domains by volume.
volume creates pivotsThe busiest values can become useful starting points for deeper investigation.
Next lesson coming soon
The next Agent Foskett Academy lesson will introduce joins, helping defenders connect evidence across multiple Microsoft security tables.
Lesson 11 — Connecting Tables with join
Learn how join helps defenders connect users, devices, sign-ins, emails and endpoint activity across multiple security tables.
Keep building the investigation
After ranking high-volume activity, the next step is learning how to connect related evidence across different tables.
Continue learning with Agent Foskett Academy, Microsoft Defender KQL Threat Hunting Guide, EmailEvents KQL Guide, Finding Unique Values with distinct, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD