Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Oct 04, 2022
Solved

Detection Rule based on Kusto Query

Hi, I'm new to KQL and trying now to write a query to find Windows Servers that are known to Defender and which are not Onboarded. I've got my query ready and working, which is like this: DeviceIn...
Onboarding
  • MichaelJMelone's avatar
    MichaelJMelone
    Oct 04, 2022

    Hello dmarquesgn ,

    The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.

     Try this:

     

     

    DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId

     

     

MichaelJMelone's avatar
MichaelJMelone
Icon for Microsoft rankMicrosoft
Oct 04, 2022

Hello dmarquesgn ,

The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.

 Try this:

 

 

DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId

 

 

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Oct 09, 2022
Thanks Michael, that was what I needed.

Resources