Forum Discussion
Solved
Detection Rule based on Kusto Query
Hi, I'm new to KQL and trying now to write a query to find Windows Servers that are known to Defender and which are not Onboarded. I've got my query ready and working, which is like this: DeviceIn...
Hello dmarquesgn ,
The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.
Try this:
DeviceInfo | where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server" | summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId
MichaelJMelone
Microsoft
MicrosoftHello dmarquesgn ,
The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.
Try this:
DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId
- Thanks Michael, that was what I needed.
