Sep 17 2019
08:00 AM
- last edited on
Apr 08 2022
10:07 AM
by
TechCommunityAP
Sep 17 2019
08:00 AM
- last edited on
Apr 08 2022
10:07 AM
by
TechCommunityAP
Hi. Requesting assistance to write a query for Azure Log Analytics (as part of Windows Analytics for an environment) to determine details for Office 365 ProPlus versions in the environment. Initially looking to gather the computer name detailed Office 365 ProPlus version (for example Build 11929.20300). Looking at the UAOfficeAddIn table but have yet to find details within it for build version data. Thank you.
Sep 18 2019 04:55 AM - edited Sep 18 2019 05:29 AM
Solution
All of that data are in Tables that start with "UA", so we can search in just those. I needed to go back in the demo data, so used 60days, you can change this for your data.
search in (UA*) "Office 365 ProPlus"
| where TimeGenerated > ago(60d)
| summarize count() by Type
Go to Log Analytics and Run Query
Type | count_ |
---|---|
UAProposedActionPlan | 468 |
UAApp | 7001 |
From that result, UAApp Table looks promising:
UAApp
| where TimeGenerated > ago(60d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365"
| summarize count() by Computer, AppVersion , AppName
Go to Log Analytics and Run Query
Computer | AppVersion | AppName | count_ |
---|---|---|---|
SavannaRh-Dsk.Contoso | 15.0.5163.1000 | Microsoft Office 365 ProPlus - en-us | 24 |
RobertHi-Corp.Contoso | 15.0.5153.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
Terminal73.Contoso | 16.0.11901.20094 | Microsoft Office 365 ProPlus - en-us | 38 |
DebbieDi-Sales.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 29 |
BeverlySm-Dsktp.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 38 |
PeggyLe-Win.Contoso | 16.0.11328.20368 | Microsoft Office 365 - en-us | 38 |
KimberlyLe-Corp.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 23 |
Jaime-Box.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
TuSharon-Work.Contoso | 16.0.11727.20244 | Microsoft Office 365 ProPlus - en-us | 38 |
MichaelSa-Dsktp.Contoso | 16.0.12013.20000 | Microsoft Office 365 ProPlus - en-us | 10 |
or
UAApp
| where TimeGenerated > ago(30d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365 ProPlus"
| summarize count(Computer) by AppVersion
| sort by count_Computer desc
| render barchart
Sep 30 2019 09:59 AM
@CliveWatson Thank you for the example and explanation. This is helpful.
Sep 18 2019 04:55 AM - edited Sep 18 2019 05:29 AM
Solution
All of that data are in Tables that start with "UA", so we can search in just those. I needed to go back in the demo data, so used 60days, you can change this for your data.
search in (UA*) "Office 365 ProPlus"
| where TimeGenerated > ago(60d)
| summarize count() by Type
Go to Log Analytics and Run Query
Type | count_ |
---|---|
UAProposedActionPlan | 468 |
UAApp | 7001 |
From that result, UAApp Table looks promising:
UAApp
| where TimeGenerated > ago(60d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365"
| summarize count() by Computer, AppVersion , AppName
Go to Log Analytics and Run Query
Computer | AppVersion | AppName | count_ |
---|---|---|---|
SavannaRh-Dsk.Contoso | 15.0.5163.1000 | Microsoft Office 365 ProPlus - en-us | 24 |
RobertHi-Corp.Contoso | 15.0.5153.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
Terminal73.Contoso | 16.0.11901.20094 | Microsoft Office 365 ProPlus - en-us | 38 |
DebbieDi-Sales.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 29 |
BeverlySm-Dsktp.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 38 |
PeggyLe-Win.Contoso | 16.0.11328.20368 | Microsoft Office 365 - en-us | 38 |
KimberlyLe-Corp.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 23 |
Jaime-Box.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
TuSharon-Work.Contoso | 16.0.11727.20244 | Microsoft Office 365 ProPlus - en-us | 38 |
MichaelSa-Dsktp.Contoso | 16.0.12013.20000 | Microsoft Office 365 ProPlus - en-us | 10 |
or
UAApp
| where TimeGenerated > ago(30d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365 ProPlus"
| summarize count(Computer) by AppVersion
| sort by count_Computer desc
| render barchart