KQL Search

Query Details

HomeAI ToolsDevice Query

Blob URI Unique Domain Count

Query

// Blob URI Unique Domain Count

DeviceFileEvents
| where TimeGenerated > ago(90d)
| where FileOriginUrl startswith "blob:https://"
| extend dURL = trim_start("blob:https", FileOriginUrl)
| extend dURL2 = strcat("https" , dURL)
| extend Domain = tostring(parse_url(dURL2).Host)
| summarize Count=count() by Domain
| sort by Count desc

Explanation

This query is analyzing device file events to count how many unique domains are associated with blob URIs (Uniform Resource Identifiers) over the past 90 days. Here's a breakdown of what it does:

  1. Filter Events: It starts by filtering the DeviceFileEvents to include only those generated in the last 90 days and where the file origin URL begins with "blob:https://".

  2. Extract Domain: It processes these URLs to extract the domain part. This involves:

    • Removing the "blob:" prefix from the URL.
    • Reconstructing the URL to start with "https".
    • Parsing the URL to extract the domain name.

  3. Count Domains: It counts how many times each domain appears in the filtered events.

  4. Sort Results: Finally, it sorts the domains by their count in descending order, showing the most frequently occurring domains first.

In simple terms, this query identifies and ranks the most common domains found in blob URLs from device file events over the last 90 days.

Details

Steven Lim profile picture

Steven Lim

Released: May 22, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

wherestartswithextendtrim_startstrcattostringparse_urlsummarizecountbysortdesc

Actions