Forum Discussion
Advanced hunting query for pulling browser extension details and email address.
Hello,
I have created a query which pulls out users with lastpass on Edge browser extension, I'm not able to get email details from the "LoggedonUser".
DeviceTvmBrowserExtensions
| join DeviceInfo on DeviceId
| where ExtensionName like "LastPass"
| summarize TotalDevices=dcount(DeviceName), ExtensionOn = dcountif(DeviceId,IsActivated=="true") by BrowserName, ExtensionName, ExtensionRisk, ExtensionId, LoggedOnUsers, DeviceName
| sort by ExtensionName asc
| mv-expand todynamic(LoggedOnUsers)
| where BrowserName == @"edge"
| join kind=leftouter
(
IdentityInfo
| where EmailAddress != ""
| project emailaddress = AccountUpn, Department
| distinct emailaddress
)
on emailaddress
| summarize emailaddress = makeset(Department), Accounts = makeset(AccountName) by BrowserName
I want to link the email address to the "Loggedonuser" , the first part works i can pull user information out, but soon as i add the join in it stops working.
No RepliesBe the first to reply