Forum Discussion
How to Remove Duplicate DeviceName From Defender Query
Hello All, I have a requirement to retrieve all Devices that is using 7zip. Below is my query: DeviceProcessEvents | where FileName in~ ("7z.exe") The problem is that it returns duplica...
I was playing around with summarize arg_max. Is the query below correct?
DeviceProcessEvents
| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName
DeviceProcessEvents
| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName