How to Remove Duplicate DeviceName From Defender Query

%3CLINGO-SUB%20id%3D%22lingo-sub-3291492%22%20slang%3D%22en-US%22%3EHow%20to%20Remove%20Duplicate%20DeviceName%20From%20Defender%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3291492%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20requirement%20to%20retrieve%20all%20Devices%20that%20is%20using%207zip.%20Below%20is%20my%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceProcessEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BFileName%26nbsp%3Bin~%26nbsp%3B(%227z.exe%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThe%20problem%20is%20that%20it%20returns%20duplicate%20device%20names%20as%20shown%20below%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22duplicate.PNG%22%20style%3D%22width%3A%20526px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F365879i5FD52A8939F60655%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22duplicate.PNG%22%20alt%3D%22duplicate.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20would%20like%20to%20return%20all%20unique%20devices%20that%20has%207z.exe%20without%20the%20duplicates.%20Can%20someone%20assist%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3291492%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3291497%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Remove%20Duplicate%20DeviceName%20From%20Defender%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3291497%22%20slang%3D%22en-US%22%3EI%20was%20playing%20around%20with%20summarize%20arg_max.%20Is%20the%20query%20below%20correct%3F%3CBR%20%2F%3E%3CBR%20%2F%3EDeviceProcessEvents%3CBR%20%2F%3E%7C%20where%20FileName%20in~%20(%227z.exe%22)%3CBR%20%2F%3E%7C%20summarize%20arg_max(FileName%2C%20*)%20by%20DeviceName%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello All,

 

I have a requirement to retrieve all Devices that is using 7zip. Below is my query:

 

DeviceProcessEvents
| where FileName in~ ("7z.exe")
 
The problem is that it returns duplicate device names as shown below:
duplicate.PNG
 
I would like to return all unique devices that has 7z.exe without the duplicates. Can someone assist?

 

1 Reply
I was playing around with summarize arg_max. Is the query below correct?

DeviceProcessEvents
| where FileName in~ ("7z.exe")
| summarize arg_max(FileName, *) by DeviceName