Forum Discussion

witness777's avatar
witness777
Copper Contributor
Apr 21, 2022

How to Remove Duplicate DeviceName From Defender Query

Hello All,

 

I have a requirement to retrieve all Devices that is using 7zip. Below is my query:

 

DeviceProcessEvents
| where FileName in~ ("7z.exe")
 
The problem is that it returns duplicate device names as shown below:
 
I would like to return all unique devices that has 7z.exe without the duplicates. Can someone assist?

 

  • witness777's avatar
    witness777
    Copper Contributor
    I was playing around with summarize arg_max. Is the query below correct?

    DeviceProcessEvents
    | where FileName in~ ("7z.exe")
    | summarize arg_max(FileName, *) by DeviceName

Resources