KQL Search

Query Details

HomeAI ToolsDevice Query

Office Add In Installs

Query

//This Query looks for office Add-in Installs
CloudAppEvents
| where ActionType == @"AppInstalled" //or ActionType == @"Add application."
| summarize count() by tostring(parse_json(RawEventData)["AddOnName"]), Application

Explanation

This query is designed to find and count the installations of Office Add-ins. Here's a simple breakdown of what it does:

  1. Data Source: It uses the CloudAppEvents table, which contains records of various cloud application events.

  2. Filter: It filters the records to only include events where the action type is either "AppInstalled" or "Add application." This means it's specifically looking for events related to the installation of applications or add-ins.

  3. Summarize: It counts the number of installation events for each add-in.

  4. Grouping: The results are grouped by the name of the add-in (extracted from the RawEventData field) and the application it was installed in.

In summary, the query provides a count of how many times each Office Add-in has been installed, grouped by the add-in name and the application.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 17, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsAddOnNameApplication

Operators

==|summarizecount()bytostring()parse_json()

Actions