This query will give you additional information about AVD Remote App usage. Output contains UserName, TimeGenerated, RemoteApplication, ApplicationName, SessionHostName, GatewayRegion, and ResourceID
If you want the complete application path you can remove these 2 lines from the query and you will be able to see the full application path in the query.
#Remove these 2 lines to include Full App Path
| extend Parameters=replace(@"^(.*[\\\/])", "", tolower(Parameters)) // remove binary path to only keep file name
| extend Parameters=replace(@"microsoft.windows(.+)_8wekyb3d8bbwe!app", @"\1", Parameters) //inbox apps to readable formatWVDConnections
| where ConnectionType == "RAIL" and State == "Connected"
| join kind=inner
(
WVDCheckpoints
| where (Name == "LaunchExecutable" and Parameters.connectionStage == "RdpShellAppExecuted") or Name == "RdpShellAppExecuted"
| project CorrelationId, Parameters=tostring(Parameters.filename)
| extend Parameters=trim('"', Parameters) // remove quotes for paths with spaces in them
| extend Parameters=replace(@"^(.*[\\\/])", "", tolower(Parameters)) // remove binary path to only keep file name
| extend Parameters=replace(@"microsoft.windows(.+)_8wekyb3d8bbwe!app", @"\1", Parameters) //inbox apps to readable format
)
on CorrelationId
| project
UserName,
TimeGenerated,
RemoteApplication = ResourceAlias,
applicationName = Parameters,
SessionHostName,
GatewayRegion,
_ResourceIdExample Output with UserName, TimeGenerated, RemoteApplication, ApplicationName, SessionHostName, GatewayRegion, and ResourceID.
Basic Remote App Query for SessionHostName, RemoteApplication and GatewayRegion.
WVDConnections
| where ConnectionType == "RAIL" and State == "Completed"
| project UserName, RemoteApplication = ResourceAlias, SessionHostName, GatewayRegion
