Untitled

DeviceInfo
| join kind=leftouter (
    DeviceLogonEvents
    | summarize LastLogon = max(TimeGenerated) by DeviceId
) on DeviceId
| join kind=leftouter (
    Event
    | where EventID == 5156 // This event ID indicates drive mapping
    | summarize MappedDrives = make_set(RenderedDescription) by DeviceId
) on DeviceId
| project DeviceName = DeviceName, LoggedOnUser = LoggedOnUserName, MappedDrives