Forum Discussion
witness777
Apr 21, 2022Copper Contributor
How to Remove Duplicate DeviceName From Defender Query
Hello All,
I have a requirement to retrieve all Devices that is using 7zip. Below is my query:
DeviceProcessEvents
| where FileName in~ ("7z.exe")
The problem is that it returns duplicate device names as shown below:
I would like to return all unique devices that has 7z.exe without the duplicates. Can someone assist?
- witness777Copper ContributorI was playing around with summarize arg_max. Is the query below correct?
DeviceProcessEvents
| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName