Query Details
ASR Top Files
Query
DeviceEvents
| where ActionType startswith 'Asr'
// or ActionType startswith 'ControlledFolderAccessViolation'
and ActionType endswith 'Audited'
| summarize Count = count() by ActionType, FileName, FolderPath
| sort by CountExplanation
This query is looking at a dataset called DeviceEvents. It filters the data to only include actions that start with 'Asr' and end with 'Audited'. It then groups the data by ActionType, FileName, and FolderPath, and calculates the count of occurrences for each group. Finally, it sorts the results by the count in ascending order.
Details
C.J. May
Released: October 13, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,FileName,FolderPath,Count
Operators
|,where,startswith,and,endswith,summarize,count,by,sort