Need help for KQL query

Question

Need help for KQL query

Sonika Sahu 20

I have 2 KQL :
1st is:

AppEvents
| where Name contains "MANAGEPASSKEYS_ADDPROCESS_INITIATED"
| project
    Event = Name,
    obj = tostring(Properties.ObjectId),
    session = tostring(Properties.CorrelationId)
| distinct Event, obj, session
| join kind=leftouter (AppEvents 
    | where Name contains "MANAGEPASSKEYS_ADDPROCESS_INITIATED"
        or Name contains "PasskeyAdd-Success"
        or Name contains "PasskeyAdd-Failure"
        or Name contains "MFAOnboardingBehaviourEnroll-SubJourneyEnd"
        or Name contains "ShowStrongMFAOptions_Methods-SubJourneyEnd"
        or Name contains "PasskeyAdd-AlreadyExists-Failure"
        or Name contains "PasskeyAdd-DeviceNotSupported"
        or Name contains "PasskeyAdd-Failure-OS" 
    | project
        Event = Name,
        obj = tostring(Properties.ObjectId),
        session = tostring(Properties.CorrelationId))
    on session
| distinct Event1, obj
| extend Event1 = replace_string(Event1, 'MANAGEPASSKEYS_ADDPROCESS_INITIATED', '1--Click Add Passkey')
| extend Event1 = replace_string(Event1, 'MFAOnboardingBehaviourEnroll-SubJourneyEnd', '2-MFA onboaded')
| extend Event1 = replace_string(Event1, 'ShowStrongMFAOptions_Methods-SubJourneyEnd', '3-MFA Verification')
| extend Event1 = replace_string(Event1, 'PasskeyAdd-Success', '4-Passkey successfully added')
| extend Event1 = replace_string(Event1, 'PasskeyAdd-Failure', '5-Passkey Add failed-Generic')
//| extend Event1 = replace_string(Event1, 'MSAGEPASSKEYS_CANCELPROCESS_INITIATED', '6-cancel journey initated')
| extend Event1 = replace_string(Event1, 'PasskeyAdd-AlreadyExists-Failure', '6-Passkey Add failed-AlreadyExists-Failure')
| extend Event1 = replace_string(Event1, 'PasskeyAdd-DeviceNotSupported', '7-Passkey Add failed-DeviceNotSupported')
| extend Event1 = replace_string(Event1, 'PasskeyAdd-Failure-OS', '8-Passkey Add failed-Failure-OS')
| summarize count() by Event1
| sort by Event1 asc

And 2nd is :

//Unique User
AppEvents
| where Name in ("MSAGEPASSKEYS_CANCELPROCESS_INITIATED", "PasskeyAdd-Success", "PasskeyRemove-Success", "FIDORemovePasskey-StartSubJourney", "FIDORemovePasskey-EndSubJourney")
| extend
    obj = tostring(Properties.ObjectId),
    session = tostring(Properties.CorrelationId)
| summarize EventList = make_set(Name) by obj
| extend 
    HasCancel = EventList has "MSAGEPASSKEYS_CANCELPROCESS_INITIATED",
    HasAdd = EventList has "PasskeyAdd-Success",
    HasRemove = EventList has "PasskeyRemove-Success",
    HasFIDORemoveStart = EventList has "FIDORemovePasskey-StartSubJourney",
    HasFIDORemoveEnd = EventList has "FIDORemovePasskey-EndSubJourney"
| extend FinalEvent = iff(
                          HasAdd,
                          "PasskeyAdd-Success",
                          iff(
    HasRemove,
    "PasskeyRemove-Success",
    iff(
    HasFIDORemoveStart,
    "FIDORemovePasskey-StartSubJourney",
    iff(
    HasFIDORemoveEnd,
    "FIDORemovePasskey-EndSubJourney",
    iff(HasCancel, "MSAGEPASSKEYS_CANCELPROCESS_INITIATED", "Other")
)
)
)
                      )
// Only include sessions where the cancel event was present
| where HasCancel == true
| extend FinalEventLabel = case(
                               FinalEvent == "PasskeyAdd-Success",
                               "Passkey successfully added",
                               FinalEvent == "PasskeyRemove-Success",
                               "Passkey successfully Removed",
                               FinalEvent == "FIDORemovePasskey-StartSubJourney",
                               "Passkey remove Journey Started",
                               FinalEvent == "FIDORemovePasskey-EndSubJourney",
                               "Passkey Remove Journey End",
                               FinalEvent == "MSAGEPASSKEYS_CANCELPROCESS_INITIATED",
                               "cancel journey initiated",
                               FinalEvent
                           )
| where FinalEventLabel == "cancel journey initiated"
| summarize count() by FinalEventLabel
| sort by FinalEventLabel asc

I want both KQL output as below format so please merge KQL without changing functinality:

1--Click Add Passkey

2-MFA onboaded

3-MFA Verification

4-Passkey successfully added

5-Passkey Add failed-Generic-OS

6-Passkey Add failed-AlreadyExists-Failure

7-cancel journey initiated

Rahul Jorrigala 575 Microsoft External Staff Moderator

Hello Sonika,

Here is the merged KQL query combining both queries you provided, preserving full functionality, and outputting the results

// Main journey events
let JourneyEvents = AppEvents
| where Name contains "MANAGEPASSKEYS_ADDPROCESS_INITIATED"
| project
    Event = Name,
    obj = tostring(Properties.ObjectId),
    session = tostring(Properties.CorrelationId)
| distinct Event, obj, session
| join kind=leftouter (
    AppEvents 
    | where Name in~ (
        "MANAGEPASSKEYS_ADDPROCESS_INITIATED",
        "PasskeyAdd-Success",
        "PasskeyAdd-Failure",
        "MFAOnboardingBehaviourEnroll-SubJourneyEnd",
        "ShowStrongMFAOptions_Methods-SubJourneyEnd",
        "PasskeyAdd-AlreadyExists-Failure",
        "PasskeyAdd-DeviceNotSupported",
        "PasskeyAdd-Failure-OS"
    )
    | project
        Event = Name,
        obj = tostring(Properties.ObjectId),
        session = tostring(Properties.CorrelationId)
) on session
| distinct Event1 = Event, obj
| extend Event1 = case(
    Event1 == "MANAGEPASSKEYS_ADDPROCESS_INITIATED", "1--Click Add Passkey",
    Event1 == "MFAOnboardingBehaviourEnroll-SubJourneyEnd", "2-MFA onboaded",
    Event1 == "ShowStrongMFAOptions_Methods-SubJourneyEnd", "3-MFA Verification",
    Event1 == "PasskeyAdd-Success", "4-Passkey successfully added",
    Event1 == "PasskeyAdd-Failure-OS", "5-Passkey Add failed-Generic-OS",
    Event1 == "PasskeyAdd-AlreadyExists-Failure", "6-Passkey Add failed-AlreadyExists-Failure",
    Event1 == "PasskeyAdd-DeviceNotSupported", "5-Passkey Add failed-Generic-OS",
    Event1 == "PasskeyAdd-Failure", "5-Passkey Add failed-Generic-OS",
    Event1 // fallback
)
| summarize count() by Event1;

// Cancel journey events where cancel was the final action
let CancelOnly = AppEvents
| where Name in ("MSAGEPASSKEYS_CANCELPROCESS_INITIATED", "PasskeyAdd-Success", "PasskeyRemove-Success", "FIDORemovePasskey-StartSubJourney", "FIDORemovePasskey-EndSubJourney")
| extend
    obj = tostring(Properties.ObjectId),
    session = tostring(Properties.CorrelationId)
| summarize EventList = make_set(Name) by obj
| extend 
    HasCancel = EventList has "MSAGEPASSKEYS_CANCELPROCESS_INITIATED",
    HasAdd = EventList has "PasskeyAdd-Success",
    HasRemove = EventList has "PasskeyRemove-Success",
    HasFIDORemoveStart = EventList has "FIDORemovePasskey-StartSubJourney",
    HasFIDORemoveEnd = EventList has "FIDORemovePasskey-EndSubJourney"
| extend FinalEvent = iff(
    HasAdd, "PasskeyAdd-Success",
    iff(HasRemove, "PasskeyRemove-Success",
        iff(HasFIDORemoveStart, "FIDORemovePasskey-StartSubJourney",
            iff(HasFIDORemoveEnd, "FIDORemovePasskey-EndSubJourney",
                iff(HasCancel, "MSAGEPASSKEYS_CANCELPROCESS_INITIATED", "Other")
            )
        )
    )
)
| where HasCancel == true
| extend FinalEventLabel = case(
    FinalEvent == "MSAGEPASSKEYS_CANCELPROCESS_INITIATED", "7-cancel journey initiated",
    FinalEvent // fallback
)
| where FinalEventLabel == "7-cancel journey initiated"
| summarize count() by Event1 = FinalEventLabel;

// Combine both result sets
JourneyEvents
| union CancelOnly
| sort by Event1 asc

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"

Sonika Sahu 20 Reputation points

2025-06-24T07:16:54.8866667+00:00

In the output I'm just getting below 2 Events only and other Events are not coming.

Above query output:

1--Click Add Passkey

1357

7-cancel journey initiated

538
Rahul Jorrigala 575 Reputation points Microsoft External Staff Moderator

2025-06-24T09:21:58.3766667+00:00

Hi Sonika,

I have reached out to you in a private message

Thankyou
Sonika Sahu 20 Reputation points

2025-06-24T13:54:54.2833333+00:00

Hi Rahul,

Didn't get your message.
Rahul Jorrigala 575 Reputation points Microsoft External Staff Moderator

2025-06-24T15:56:10.1966667+00:00

Hello Sonika,

Could you please open private messages as shown below

1 answer

Your answer

Sonika Sahu 20 Reputation points

2025-06-24T07:16:54.8866667+00:00

In the output I'm just getting below 2 Events only and other Events are not coming.

Above query output:

1--Click Add Passkey

1357

7-cancel journey initiated

538
Rahul Jorrigala 575 Reputation points Microsoft External Staff Moderator

2025-06-24T09:21:58.3766667+00:00

Hi Sonika,

I have reached out to you in a private message

Thankyou
Sonika Sahu 20 Reputation points

2025-06-24T13:54:54.2833333+00:00

Hi Rahul,

Didn't get your message.
Rahul Jorrigala 575 Reputation points Microsoft External Staff Moderator

2025-06-24T15:56:10.1966667+00:00

Hello Sonika,

Could you please open private messages as shown below

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Need help for KQL query

1 answer

Your answer