KQL Search

Query Details

HomeAI ToolsDevice Query

Top Social Media

Query

// Top Social Media Visitors
let identities = DeviceInfo
| distinct DeviceName, LoggedOnUsers
| project DeviceName, CurrentUsers = parse_json(LoggedOnUsers)
| mv-apply CurrentUsers on (
    project DeviceName, User = CurrentUsers.UserName, SID = CurrentUsers.Sid
)
| project DeviceName, Username = tostring(User), OnPremSid = tostring(SID)
| join IdentityInfo on OnPremSid;
DeviceNetworkEvents
| where RemoteUrl contains "facebook.com"
     or RemoteUrl contains "twitter.com"
     or RemoteUrl contains "linkedin.com"
     or RemoteUrl contains "reddit.com"
// exclude low confidence usage
| where RemoteUrl !contains "ads"
| where RemoteUrl !contains "analytics"
| where RemoteUrl !contains "rank"
| where RemoteUrl !contains "cdn"
| summarize Count=count(), RemoteUrls=make_set(RemoteUrl) by DeviceName
| where Count >= 30
| join identities on DeviceName
| where JobTitle !contains "Communications"
| where JobTitle !contains "Digital Marketing"
| summarize by DeviceName, Count, FullName=strcat(GivenName," ",Surname), JobTitle, Email=AccountUpn, tostring(RemoteUrls)
| sort by Count desc

Explanation

This query is trying to find the top social media visitors by device. It starts by getting the distinct device names and logged on users. Then it joins this information with identity information to get the usernames and on-premises SIDs.

Next, it filters the device network events to only include URLs related to popular social media sites like Facebook, Twitter, LinkedIn, and Reddit. It excludes URLs related to ads, analytics, ranking, and content delivery networks.

The query then summarizes the count of these events and the set of remote URLs for each device. It filters out devices with a count less than 30.

After that, it joins the device information with the identities based on the device name. It further filters out devices where the job title contains "Communications" or "Digital Marketing".

Finally, it summarizes the device name, count, full name, job title, email, and remote URLs. The results are sorted by count in descending order.

Details

C.J. May profile picture

C.J. May

Released: May 16, 2023

Tables

DeviceInfoIdentityInfoDeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

distinctprojectparse_jsonmv-applyonjoinwherecontainsor!containssummarizecountmake_setby>=!containssort by

Actions