Hi all, I'm having trouble getting O365 UserAgent data to show up in a search. Currently, my search looks like: sourcetype="o365:management:activity" OR sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | dedup user | iplocation ActorIpAddress | table user, City, Region,UserAgent, ActorIpAddress, _time | rename ActorIpAddress AS IP | search NOT Region=Pennsylvania | sort-_time I've tried a few different methods of getting UserAgent data into the table view but haven't had any luck. The data is in the Event log, I just can't seem to extract it. Any suggestions would be greatly appreciated! ... View more