Query Details
DCA Visualize Emoji Reactions
Query
//Visualize the most popular emoji reactions used in your tenant, because, why not? //Top 25 used in the query, you can remove that line if you want them all //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query CloudAppEvents | where TimeGenerated > ago (30d) | where RawEventData.Operation == "ReactedToMessage" | where RawEventData.Workload == "MicrosoftTeams" | extend React = tostring(RawEventData.MessageReactionType) | where isnotempty(React) | project React | extend React = tostring(split(React,"_")[-1]) | summarize Count=count() by React | sort by Count desc | take 25 | render barchart //Advanced Hunting query //Data connector required for this query - Advanced Hunting license CloudAppEvents | where Timestamp > ago (30d) | where ActionType == @"ReactedToMessage" | where Application == @"Microsoft Teams" | extend React = tostring(RawEventData.MessageReactionType) | where isnotempty(React) | project React | extend React = tostring(split(React,"_")[-1]) | summarize Count=count() by React | sort by Count desc | take 25 | render columnchart
Explanation
This query retrieves data on the most popular emoji reactions used in your Microsoft Teams tenant. It looks at the CloudAppEvents data connector for M365 Defender or the Advanced Hunting license data connector. The query filters for reactions to messages in Microsoft Teams within the last 30 days. It then counts the occurrences of each reaction, sorts them in descending order, and displays the top 25 reactions in a bar or column chart visualization.
Details
Matt Zorich
Released: January 25, 2023
Tables
CloudAppEvents
Keywords
Devices,Intune,User,M365Defender,CloudAppEvents,MicrosoftSentinel,MicrosoftTeams,AdvancedHunting,Timestamp,ActionType,Application,React,RawEventData,MessageReactionType,Count,barchart,columnchart
Operators
whereago==where==whereextendtostringwhereisnotemptyprojectextendtostringsplit[-1]summarizecount()bysort bydesctakerender