Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 03: Aggregate and Visualize with bin()

Introduction

The bin() function rounds timestamps into regular time buckets—critical for trend analysis and time-based aggregation.

Description

You’ll aggregate log events into daily buckets and visualize activity trends.

Success criteria

  • Events are grouped by time intervals.
  • Query returns an aggregated result.
  • Output can be visualized as a time chart.

Key steps:

  1. In the Defender portal, go to Microsoft Sentinel > Data Lake Exploration > KQL Queries.

  2. Run the following query:

     AuditLogs 
 | where TimeGenerated > ago(30d) 
 | summarize Events = count() by bin(TimeGenerated, 1d), OperationName 
 | render timechart

    bin() improves performance and readability in both Sentinel and Data Lake queries.

    Aggregating early reduces billable scan and joins run on summaries instead of raw events.