Query Details
What Users Downloaded From The Internet
Query
DeviceFileEvents | where FileOriginUrl contains "" | extend ReferrerHost=tostring(parse_url(FileOriginReferrerUrl).Host) | summarize count(), any(FileName) by ReferrerHost
Explanation
This Query will show you what users downloaded from the internet. It is looking at a dataset called DeviceFileEvents. It filters the data to only include events where the FileOriginUrl contains a specific value. It then creates a new column called ReferrerHost by extracting the host from the FileOriginReferrerUrl. Finally, it summarizes the count of events and any file name associated with each ReferrerHost.
Details
Abdulhamid ALShatti (User Submission)
Released: October 25, 2023
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,FileOriginUrl,ReferrerHost,FileOriginReferrerUrl,FileName
Operators
wherecontainsextendtostringparse_urlHostsummarizecount()any()