Query Details
ASR Top Users
Query
DeviceEvents
| where ActionType startswith 'Asr'
and ActionType endswith 'Audited'
| summarize Count = count(), Categories = make_set(ActionType) by DeviceName, OnPremSid=AccountSid
| join IdentityInfo on OnPremSid
| project DeviceName, FullName=strcat(GivenName, " ", Surname), JobTitle, Count, Categories
| distinct DeviceName, FullName, JobTitle, Count, tostring(Categories)
| sort by CountExplanation
This query retrieves device events where the action type starts with 'Asr' and ends with 'Audited'. It then summarizes the count and creates a set of action types for each device name and on-premises SID. The query then joins the identity information based on the on-premises SID and projects the device name, full name (concatenation of given name and surname), job title, count, and categories. It removes any duplicate entries and sorts the results by count.
Details
C.J. May
Released: October 13, 2022
Tables
DeviceEventsIdentityInfo
Keywords
DeviceEvents,ActionType,Asr,Audited,Count,Categories,DeviceName,OnPremSid,AccountSid,IdentityInfo,FullName,GivenName,Surname,JobTitle,distinct,tostring,sort
Operators
|wherestartswithendswithsummarizecount()make_setbyjoinprojectstrcatdistincttostringsort by