Forum Discussion

am7861700's avatar
am7861700
Copper Contributor
Jan 10, 2023

Advanced hunting query for pulling browser extension details and email address.

Hello,

 

I have created a query which pulls out users with lastpass on Edge browser extension, I'm not able to get email details from the "LoggedonUser".

 

DeviceTvmBrowserExtensions
| join DeviceInfo on DeviceId
| where ExtensionName like "LastPass"
| summarize TotalDevices=dcount(DeviceName), ExtensionOn = dcountif(DeviceId,IsActivated=="true") by BrowserName, ExtensionName, ExtensionRisk, ExtensionId, LoggedOnUsers, DeviceName
| sort by ExtensionName asc
| mv-expand todynamic(LoggedOnUsers)
| where BrowserName == @"edge"
| join kind=leftouter
(
    IdentityInfo
    | where EmailAddress != ""
    | project emailaddress = AccountUpn, Department
    | distinct emailaddress
)
on emailaddress
| summarize emailaddress = makeset(Department), Accounts = makeset(AccountName) by BrowserName
 
I want to link the email address to the "Loggedonuser" , the first part works i can pull user information out, but soon as i add the join in it stops working.

1 Reply

  • Take this:

     

    DeviceTvmBrowserExtensions

    | join DeviceInfo on DeviceId

    | where ExtensionName contains "LastPass"

    | mv-expand LoggedOnUsers

    | extend LoggedOnUser = tostring(LoggedOnUsers)

    | where BrowserName == "edge"

    | join kind=leftouter (

    IdentityInfo

    | where EmailAddress != ""

    | project AccountName, EmailAddress, Department

    ) on $left.LoggedOnUser == $right.AccountName

    | summarize

    TotalDevices = dcount(DeviceName),

    ExtensionOn = dcountif(DeviceId, IsActivated == "true"),

    Accounts = makeset(AccountName),

    Emails = makeset(EmailAddress),

    Departments = makeset(Department)

    by BrowserName, ExtensionName, ExtensionRisk, ExtensionId

    | sort by ExtensionName asc