KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Summarize Internet Explorer Signins

Query

//Summarize signins to your Azure AD tenant still using Internet Explorer. Data is grouped into each user and which applications they are accessing.

//Data connector required for this query - Azure Active Directory - Signin Logs

SigninLogs
| where ResultType == 0
| extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser"))
| extend UserAgentFamily = tostring(parse_json(tostring(UserAgentDetail.Browser)).Family)
| extend UserAgentMajorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MajorVersion)
| extend UserAgentMinorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MinorVersion)
| extend UserAgentPatch = toint(parse_json(tostring(UserAgentDetail.Browser)).Patch)
| project
    TimeGenerated,
    UserPrincipalName,
    AppDisplayName,
    ResultType,
    IPAddress,
    Location,
    UserAgentFamily,
    UserAgentMajorVersion,
    UserAgentMinorVersion,
    UserAgentPatch,
    UserAgent
| where UserAgentFamily == "IE"
| summarize ['Total IE Signins']=count(), ['Count of Applications']=dcount(AppDisplayName), ['List of Applications']=make_set(AppDisplayName) by UserPrincipalName
| sort by ['Count of Applications'] desc

Explanation

This query summarizes the sign-ins to your Azure AD tenant that are still using Internet Explorer. The data is grouped by each user and the applications they are accessing. The query uses the Azure Active Directory - Signin Logs data connector. It filters the sign-in logs to only include successful sign-ins (ResultType == 0) and extracts information about the user agent (browser) used for each sign-in. It then projects specific fields from the data and filters for sign-ins made using Internet Explorer (UserAgentFamily == "IE"). Finally, it summarizes the data by counting the total number of Internet Explorer sign-ins, the number of unique applications accessed, and lists the names of those applications for each user. The results are sorted by the count of applications in descending order.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogs

Keywords

SigninLogs,ResultType,UserAgent,UserAgentDetail,Browser,Family,MajorVersion,MinorVersion,Patch,TimeGenerated,UserPrincipalName,AppDisplayName,IPAddress,Location,TotalIESignins,CountofApplications,ListofApplications

Operators

whereextendparse_user_agenttodynamicparse_jsontostringtointprojectcountdcountmake_setbysort

Actions