Get browser versions using KQL

Question

I wanted to get browsers versions using KQL query in Microsoft Defender for Endpoint. I tried the following but results nothing. I couldn't find a good documentation to write a query to find such information. Any guidance please.

DeviceEvents | where ActionType == "BrowserEvent" | project DeviceName, DeviceId, Timestamp, BrowserName, BrowserVersion

DeviceEvents | where ActionType == "BrowserEvent" | project DeviceName, DeviceId, Timestamp, BrowserName, BrowserVersion

I wanted to get browser versions to find users who uses outdated browsers.

Answer 1

I can't recreate the query in my own Azure Portal, but with some basic syntax you should be able to create a simple overview of the browser versions and it's count.

Summarize used browser versions

DeviceEvents 
| where ActionType == "BrowserEvent"
| summarize count() by BrowserName, BrowserVersion

Search for users using outdated browser versions

DeviceEvents 
| where ActionType == "BrowserEvent" 
| where BrowserVersion contains "X.XX" 
     or BrowserVersion contains "X.XX"
| summarize count() by DeviceName, DeviceId, Browsername, BrowserVersion

Timeline of users using specific browser version per day

DeviceEvents
| where Timestamp > ago(14d)
| where ActionType == "BrowserEvent"
| where BrowserVersion contains "X.XX" or BrowserVersion contains "X.XX"
| extend info = strcat(DeviceName, ": ", BrowserName)
| summarize count() by bin(Timestamp, 1d), info
| render columnchart

Haven't really tested these in Log Analytics, but this should give a good start to look for specific information.