Add files via upload

3 years ago · 14a4e9e496
parent 1ba8c23155
commit 14a4e9e496
1 changed files with 27 additions and 8 deletions
--- a/Microsoft.WebBrowser.sql
+++ b/Microsoft.WebBrowser.sql
@ -10,15 +10,27 @@ json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp',
 -- Timestamp from json payload
 datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp',

-- Actions
+json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq',
+
+-- Event App & event description
 json_extract(events_persisted.payload,'$.ext.app.name') as 'app',
+tag_descriptions.tag_name as 'Description', -- where you'll see these events in MS Diagnostic Data Viewer app
 coalesce(json_extract(events_persisted.payload,'$.data.ShortEventName'),replace(replace(substr(distinct full_event_name,39),'Microsoft.',''),'WebBrowser.HistoryJournal.HJ_','')) as 'event',
-json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq',
-json_extract(events_persisted.payload,'$.data.TabId') as 'TabId',
-coalesce(json_extract(events_persisted.payload,'$.data.PageTitle'),    json_extract(events_persisted.payload,'$.data.DOMAnchorHrefUrl')) as 'PageTitle/RefUrl',
+
+-- Actions
+json_extract(events_persisted.payload,'$.data.TabId') as 'Tab Id', -- (Note that apps like twitter use containerized (?) IE/Edge for navigation)
+case 
+	when json_extract(events_persisted.payload,'$.data.PageTitle') is NULL and json_extract(events_persisted.payload,'$.data.NoteLocalId') is not NULL
+	then upper(json_extract(events_persisted.payload,'$.data.NoteLocalId')) -- get Sticky Notes local ID
+	when json_extract(events_persisted.payload,'$.data.PageTitle') is NULL and json_extract(events_persisted.payload,'$.data.NoteLocalId') is NULL
+	then coalesce(json_extract(events_persisted.payload,'$.data.DOMAnchorHrefUrl'),json_extract(events_persisted.payload,'$.data.referUrl')) 
+	else json_extract(events_persisted.payload,'$.data.PageTitle') 
+	end as 'PageTitle/Referrer',
 coalesce(json_extract(events_persisted.payload,'$.data.navigationUrl'),json_extract(events_persisted.payload,'$.data.DSPCurrentUrl'))    as 'Url',
-json_extract(events_persisted.payload,'$.data.actionName') as 'actionName',

+-- Tracking
+upper(json_extract(events_persisted.payload,'$.data.CorrelationGuid')) as 'Correlation Guid', 
+upper(json_extract(events_persisted.payload,'$.data."Session.EcsETag"')) as 'Session Tag (Base64)', -- Sticky Notes session 
 logging_binary_name,

 -- Net info
@ -31,8 +43,11 @@ sid as 'User SID'


 from events_persisted 
+join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash
+join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id 
+
 where 
-events_persisted.full_event_name like ('Aria.%') and 
+events_persisted.full_event_name like 'Aria.%'and (
 events_persisted.full_event_name not like '%HeartBeat' and 
 events_persisted.full_event_name not like '%Timing%'   and 
 events_persisted.full_event_name not like '%EdgeUpdate%' and 
@ -46,5 +61,9 @@ events_persisted.full_event_name not like '%SessionIdCorrelation%' and
 events_persisted.full_event_name not like '%ScopedCriticalTask%' and 
 events_persisted.full_event_name not like '%Assert%' and 
 events_persisted.full_event_name not like '%BrowserInfo%' and 
-events_persisted.full_event_name not like '%diagnosticssync%' 
-order by events_persisted.timestamp desc
+tag_descriptions.tag_name not like '%Performance%' )
+
+
+
+ -- Sort by event sequence number descending (newest first)
+order by cast(seq as integer) desc