-- Diagnostic Microsoft.WebBrowser (Aria) -- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db -- For more info visit https://github.com/rathbuna/EventTranscript.db-Research SELECT --Timestamp from db field json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp', -- Timestamp from json payload datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp', json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', -- Event App & event description json_extract(events_persisted.payload,'$.data.EventName') as 'EventName', json_extract(events_persisted.payload,'$.ext.app.name') as 'app', tag_descriptions.tag_name as 'Description', -- where you'll see these events in MS Diagnostic Data Viewer app coalesce(json_extract(events_persisted.payload,'$.data.ShortEventName'),replace(replace(substr(distinct full_event_name,39),'Microsoft.',''),'WebBrowser.HistoryJournal.HJ_','')) as 'event', -- Actions json_extract(events_persisted.payload,'$.data.TabId') as 'Tab Id', -- (Note that apps like twitter use containerized (?) IE/Edge for navigation) case when json_extract(events_persisted.payload,'$.data.PageTitle') is NULL and json_extract(events_persisted.payload,'$.data.NoteLocalId') is not NULL then upper(json_extract(events_persisted.payload,'$.data.NoteLocalId')) -- get Sticky Notes local ID when json_extract(events_persisted.payload,'$.data.PageTitle') is NULL and json_extract(events_persisted.payload,'$.data.NoteLocalId') is NULL then coalesce(json_extract(events_persisted.payload,'$.data.DOMAnchorHrefUrl'),json_extract(events_persisted.payload,'$.data.referUrl')) else json_extract(events_persisted.payload,'$.data.PageTitle') end as 'PageTitle/Referrer', coalesce(json_extract(events_persisted.payload,'$.data.navigationUrl'),json_extract(events_persisted.payload,'$.data.DSPCurrentUrl')) as 'Url', -- Tracking upper(json_extract(events_persisted.payload,'$.data.CorrelationGuid')) as 'Correlation Guid', upper(json_extract(events_persisted.payload,'$.data."Session.EcsETag"')) as 'Session Tag (Base64)', -- Sticky Notes session logging_binary_name, -- Net info coalesce(json_extract(events_persisted.payload,'$.ext.net.type'),json_extract(events_persisted.payload,'$.data.ConnectionType')) as 'type', json_extract(events_persisted.payload,'$.ext.net.cost') as 'cost', -- Local, MS or AAD account trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId', sid as 'User SID' from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash join tag_descriptions on event_tags.tag_id = tag_descriptions.tag_id where events_persisted.full_event_name like 'Aria.%'and ( events_persisted.full_event_name not like '%HeartBeat' and events_persisted.full_event_name not like '%Timing%' and events_persisted.full_event_name not like '%EdgeUpdate%' and events_persisted.full_event_name not like '%Protobuf%' and events_persisted.full_event_name not like '%Extended%' and events_persisted.full_event_name not like '%Trace%' and events_persisted.full_event_name not like '%qossync%' and events_persisted.full_event_name not like '%ScopedCriticalTask%' and events_persisted.full_event_name not like '%Actor%' and events_persisted.full_event_name not like '%SessionIdCorrelation%' and events_persisted.full_event_name not like '%ScopedCriticalTask%' and events_persisted.full_event_name not like '%Assert%' and events_persisted.full_event_name not like '%BrowserInfo%' and events_persisted.full_event_name not like '%15cbbc93e90a4d56bf8d9a29305b8981%' and -- exclude Sticky Notes tag_descriptions.tag_name not like '%Device Connectivity and Configuration%' and tag_descriptions.tag_name not like '%Performance%' ) -- Sort by event datedescending (newest first) order by cast(events_persisted.timestamp as integer) desc