-
Notifications
You must be signed in to change notification settings - Fork 353
/
Copy pathDCA-VisualizeEmojiReactions.kql
36 lines (30 loc) · 1.08 KB
/
DCA-VisualizeEmojiReactions.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
//Visualize the most popular emoji reactions used in your tenant, because, why not?
//Top 25 used in the query, you can remove that line if you want them all
//Data connector required for this query - M365 Defender - CloudAppEvents
//Microsoft Sentinel query
CloudAppEvents
| where TimeGenerated > ago (30d)
| where RawEventData.Operation == "ReactedToMessage"
| where RawEventData.Workload == "MicrosoftTeams"
| extend React = tostring(RawEventData.MessageReactionType)
| where isnotempty(React)
| project React
| extend React = tostring(split(React,"_")[-1])
| summarize Count=count() by React
| sort by Count desc
| take 25
| render barchart
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
CloudAppEvents
| where Timestamp > ago (30d)
| where ActionType == @"ReactedToMessage"
| where Application == @"Microsoft Teams"
| extend React = tostring(RawEventData.MessageReactionType)
| where isnotempty(React)
| project React
| extend React = tostring(split(React,"_")[-1])
| summarize Count=count() by React
| sort by Count desc
| take 25
| render columnchart