How to Remove Duplicate DeviceName From Defender Query

Copper Contributor

Hello All,


I have a requirement to retrieve all Devices that is using 7zip. Below is my query:


| where FileName in~ ("7z.exe")
The problem is that it returns duplicate device names as shown below:
I would like to return all unique devices that has 7z.exe without the duplicates. Can someone assist?


1 Reply
I was playing around with summarize arg_max. Is the query below correct?

| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName