Forum Discussion

SocInABox's avatar
SocInABox
Iron Contributor
Mar 19, 2021
Solved

kql query for distinct values

Hi there, I'm trying to query all computers that match 2 or more DISTINCT DisplayName fields. I can get the distinct count: SecurityAlert | where ProductName in("Microsoft Defender Advanced Threa...
  • CliveWatson's avatar
    CliveWatson
    Mar 23, 2021

    GaryBushey 

    You might also try?

     

    SecurityAlert
| where ProductName in("Microsoft Defender Advanced Threat Protection")
| where ProviderName == "MDATP"
| mv-expand parsejson(Entities)
| extend Computer = tostring(Entities.HostName)
| where isnotempty(Computer)
| summarize dcount(DisplayName), make_set(DisplayName) by Computer
CliveWatson's avatar
CliveWatson
Former Employee
Mar 23, 2021

GaryBushey 

You might also try?

 

SecurityAlert
| where ProductName in("Microsoft Defender Advanced Threat Protection")
| where ProviderName == "MDATP"
| mv-expand parsejson(Entities)
| extend Computer = tostring(Entities.HostName)
| where isnotempty(Computer)
| summarize dcount(DisplayName), make_set(DisplayName) by Computer
GaryBushey's avatar
GaryBushey
Bronze Contributor
Mar 23, 2021

CliveWatson Much better looking code than mine.  How would you do the part where the author only wants those DisplayNames that show up at least twice?  Is it just a matter of setting the dcount(DisplayName) to a variable and then checking that there is at least 2 after that?

Resources