Advanced hunting query for pulling browser extension details and email address.

Question

Hello,&nbsp;I have created a query which pulls out users with lastpass on Edge browser extension, I'm not able to get email details from the "LoggedonUser".&nbsp;DeviceTvmBrowserExtensions| join DeviceInfo on DeviceId| where ExtensionName like "LastPass"| summarize TotalDevices=dcount(DeviceName), ExtensionOn = dcountif(DeviceId,IsActivated=="true") by BrowserName, ExtensionName, ExtensionRisk, ExtensionId, LoggedOnUsers, DeviceName| sort by ExtensionName asc| mv-expand todynamic(LoggedOnUsers)| where BrowserName == @"edge"| join kind=leftouter(&nbsp; &nbsp; IdentityInfo&nbsp; &nbsp; | where EmailAddress != ""&nbsp; &nbsp; | project emailaddress = AccountUpn, Department&nbsp; &nbsp; | distinct emailaddress)on emailaddress| summarize emailaddress = makeset(Department), Accounts = makeset(AccountName) by BrowserName&nbsp;I want to link the email address to the "Loggedonuser" , the first part works i can pull user information out, but soon as i add the join in it stops working.

kidd_ip · Answer

Take this:
&nbsp;
DeviceTvmBrowserExtensions
| join DeviceInfo on DeviceId
| where ExtensionName contains "LastPass"
| mv-expand LoggedOnUsers
| extend LoggedOnUser = tostring(LoggedOnUsers)
| where BrowserName == "edge"
| join kind=leftouter (
IdentityInfo
| where EmailAddress != ""
| project AccountName, EmailAddress, Department
) on $left.LoggedOnUser == $right.AccountName
| summarize
TotalDevices = dcount(DeviceName),
ExtensionOn = dcountif(DeviceId, IsActivated == "true"),
Accounts = makeset(AccountName),
Emails = makeset(EmailAddress),
Departments = makeset(Department)
by BrowserName, ExtensionName, ExtensionRisk, ExtensionId
| sort by ExtensionName asc
&nbsp;

Forum Discussion

Advanced hunting query for pulling browser extension details and email address.

1 Reply