This example relies on the fixed structure of the Activity column: -. It parses the Activity value into 2 new columns, and counts the occurrence of each activity ID
SecurityEvent
| where TimeGenerated > ago(30m)
| project Activity
| parse Activity with activityID " - " activityDesc
| summarize count() by activityID