How to Remove Duplicate DeviceName From Defender Query

Copper Contributor

Hello All,

 

I have a requirement to retrieve all Devices that is using 7zip. Below is my query:

 

DeviceProcessEvents
| where FileName in~ ("7z.exe")
 
The problem is that it returns duplicate device names as shown below:
duplicate.PNG
 
I would like to return all unique devices that has 7z.exe without the duplicates. Can someone assist?

 

1 Reply
I was playing around with summarize arg_max. Is the query below correct?

DeviceProcessEvents
| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName