Average device daily usage report in PowerBI

A customer wanted to know how many hours on average their devices were being used, without modifying their configuration.

This to help target replacements, upgrades, #desks per location, #shared devices per location etc.

At first I figured it’d be a simple task, just getting the right event ID’s from the local eventlog, but no, that required additional auditing to be enabled and how would the data flow to PowerBI?

The next attempted data source was much better; Defender Advanced Hunting. Especially the DeviceLogonEvents table, which contains cached and interactive logons to all monitored devices.

Using logon events, we can get an idea of a device’s relative use in the fleet. It won’t be exact as measuring the time between pure lock/unlock/signin/signout events.

This was fine for the customer’s purpose and checking their data the number of daily logon events (7-9) was actually much higher than the expected 2-3 per device per day (at least on Windows 11, our target OS).

Getting that data into PowerBI turned out to be even easier 🙂

Option 1: use my PowerBI template

Option 2: build your own report using below steps:

Open up PowerBI and click Blank Query

Open the Advanced Editor

Paste the KQL query and click done

KQL:

 let
        AdvancedHuntingQuery = "DeviceLogonEvents
| where Timestamp between (ago(28d) .. now())
| where ActionType == ""LogonSuccess""
| where LogonType == ""Interactive""
| extend LogonDate = startofday(Timestamp)
| where LogonDate &lt; startofday(now())  
| summarize 
    FirstLogon = min(Timestamp), 
    LastLogon = max(Timestamp)
    by DeviceName, LogonDate
| extend UsageDuration = LastLogon - FirstLogon
| project DeviceName, LogonDate, FirstLogon, LastLogon, UsageDuration
| order by DeviceName asc, LogonDate desc",

        HuntingUrl = "https://api.security.microsoft.com/api/advancedqueries",

        Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),

        TypeMap = #table(
            { "Type", "PowerBiType" },
            {
                { "Double",   Double.Type },
                { "Int64",    Int64.Type },
                { "Int32",    Int32.Type },
                { "Int16",    Int16.Type },
                { "UInt64",   Number.Type },
                { "UInt32",   Number.Type },
                { "UInt16",   Number.Type },
                { "Byte",     Byte.Type },
                { "Single",   Single.Type },
                { "Decimal",  Decimal.Type },
                { "TimeSpan", Duration.Type },
                { "DateTime", DateTimeZone.Type },
                { "String",   Text.Type },
                { "Boolean",  Logical.Type },
                { "SByte",    Logical.Type },
                { "Guid",     Text.Type }
            }),

        Schema = Table.FromRecords(Response[Schema]),
        TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
        Results = Response[Results],
        Rows = Table.FromRecords(Results, Schema[Name]),
        Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))

    in Table