Forum Discussion
KQL Query to extract list of devices
Hi, I'm trying to automate some things on our environment and now I'm trying to extract a list of devices from our Defender environment, so then to make some comparisons over powershell. So my f...
Check the time/days in the KQL editor dmarquesgn
The asset inventory is last 30 days, whereas you may have your KQL query set to last 7 days or something.
If it's not that, then pass.
Thanks for the tip. The issue is certainly because of the 30 days of data which is returned by the Hunting Query, while on the exported list of devices from the "Devices" view in the portal, I got devices which the last device update was 6 months ago.
So now I'm using this query:
DeviceInfo
| distinct DeviceId, DeviceName, ClientVersion, OSPlatform, JoinType, AadDeviceId, OnboardingStatus, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, OSVersionInfo, SensorHealthState
Now I've got another odd issue. Running the hunting query on the defender portal, I've got 4079 results. Running the hunting query over powershell returns 8105 results, and most of the devices are duplicated, which is kind of odd and didn't yet understood why.
