Query Details
Connected Pn P Types
Query
# Connected PnP types ## Query Information #### Description List the different Plug and Play (PnP) device types that are used in your organisation. The results are sorted by the total ammount of events seen for each type. #### References - https://learn.microsoft.com/en-us/powershell/module/pnpdevice/?view=windowsserver2022-ps ## Defender For Endpoint ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" | extend PNPInfo = parse_json(AdditionalFields) | extend ClassName = tostring(PNPInfo.ClassName), DeviceDescription = tostring(PNPInfo.DeviceDescription), VendorIds = tostring(PNPInfo.VendorIds), DeviceId = tostring(PNPInfo.DeviceId) | extend PnPType = tostring(split(DeviceId, @"\", 0)[0]) | summarize Total = count() by PnPType | sort by Total ``` ## Sentinel ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" | extend PNPInfo = parse_json(AdditionalFields) | extend ClassName = tostring(PNPInfo.ClassName), DeviceDescription = tostring(PNPInfo.DeviceDescription), VendorIds = tostring(PNPInfo.VendorIds), DeviceId = tostring(PNPInfo.DeviceId) | extend PnPType = tostring(split(DeviceId, @"\", 0)[0]) | summarize Total = count() by PnPType | sort by Total ```
Explanation
This query retrieves a list of different Plug and Play (PnP) device types used in the organization. It filters for events where the action type is "PnpDeviceConnected" and extracts relevant information from the AdditionalFields. The query then calculates the total count of events for each PnP device type and sorts the results by the total count.
Details
Bert-Jan Pals
Released: October 24, 2023
Tables
DeviceEvents
Keywords
Keywords:DeviceEvents,ActionType,PnpDeviceConnected,AdditionalFields,parse_json,ClassName,DeviceDescription,VendorIds,DeviceId,PnPType,summarize,Total,sort
Operators
whereextendparse_jsontostringsplitsummarizecountbysort