Forum Discussion
Solved
Remove Duplicate USB user name events from Advance Hunting Query, 365 Defender Portal
Hi, I posted this a while back, and it was resolved, but then noticed for larger clients the duplicates are back 😞 Topic: Microsoft Defender for Endpoint Device Control Removable Storage S...
- so basically, what you want is something similar to the below.
I do not quite know how the actual output of your query looks so I cant tell you what needs to go and what needs to stay, but maybe this will give you a hint.
| summarize make_set(SerialNumber) by InitiatingProcessAccountUpn
This would give you one entry per UPN, and then an array of unique serial numbers of the drives said user has used.
If you need info from multiple fields and not just the Serial Numbers, you can append multiple values like below.
| extend StorageInfo = strcat_delim(';', SerialNumber,Manufacturer)
| summarize make_set(StorageInfo) by InitiatingProcessAccountUpn
Not exactly what you requested, but if you want to 1 entry per user and unique device (if 1 user used 3 different devices, you get 3 entries) you can do it like below.
| distinct InitiatingProcessAccountUpn,SerialNumber,Manufacturer
so basically, what you want is something similar to the below.
I do not quite know how the actual output of your query looks so I cant tell you what needs to go and what needs to stay, but maybe this will give you a hint.
| summarize make_set(SerialNumber) by InitiatingProcessAccountUpn
This would give you one entry per UPN, and then an array of unique serial numbers of the drives said user has used.
If you need info from multiple fields and not just the Serial Numbers, you can append multiple values like below.
| extend StorageInfo = strcat_delim(';', SerialNumber,Manufacturer)
| summarize make_set(StorageInfo) by InitiatingProcessAccountUpn
Not exactly what you requested, but if you want to 1 entry per user and unique device (if 1 user used 3 different devices, you get 3 entries) you can do it like below.
| distinct InitiatingProcessAccountUpn,SerialNumber,Manufacturer
I do not quite know how the actual output of your query looks so I cant tell you what needs to go and what needs to stay, but maybe this will give you a hint.
| summarize make_set(SerialNumber) by InitiatingProcessAccountUpn
This would give you one entry per UPN, and then an array of unique serial numbers of the drives said user has used.
If you need info from multiple fields and not just the Serial Numbers, you can append multiple values like below.
| extend StorageInfo = strcat_delim(';', SerialNumber,Manufacturer)
| summarize make_set(StorageInfo) by InitiatingProcessAccountUpn
Not exactly what you requested, but if you want to 1 entry per user and unique device (if 1 user used 3 different devices, you get 3 entries) you can do it like below.
| distinct InitiatingProcessAccountUpn,SerialNumber,Manufacturer