mv-expand

🚕 Windows Hello for Business

AuditLogs
| where TimeGenerated > ago (30d)
| where OperationName contains "Windows Hello for Business"
| mv-expand TargetResources
| extend modifiedProperties = TargetResources.modifiedProperties
| mv-expand modifiedProperties
| evaluate bag_unpack(modifiedProperties)
| mv-expand todynamic(newValue)
| extend creationTime = todatetime(replace_string(tostring(newValue.creationTime), " +00:00", ""))
| extend deviceId = tostring(newValue.deviceId)
| extend UserId = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| summarize arg_max(creationTime, *) by UserId, deviceId
| project TimeGenerated, creationTime, userPrincipalName, UserId, deviceId, ActivityDisplayName
| join kind=inner (SigninLogs
    | extend deviceId = tostring(DeviceDetail.deviceId)
    | extend deviceName = tostring(DeviceDetail.displayName)
    | where isnotempty(deviceName)
    | extend trustType = tostring(DeviceDetail.trustType)
    | summarize arg_max(TimeGenerated, *) by deviceId
    | distinct deviceId, deviceName, trustType
    ) on $left.deviceId == $right.deviceId
| project  WHfBcreationTime = creationTime, userPrincipalName, UserId, deviceName, AADdeviceId = deviceId
```