Data Table Size Per MDE Device

//Calculate the size of the combined Device* tables from Defender for Endpoint by device name //Data connector required for this query - M365 Defender - Device* tables union withsource=_TableName Device* | where TimeGenerated > ago(7d) | summarize Entries = count(), Size = sum(_BilledSize) by DeviceName | project ['Device Name'] = DeviceName, ['Table Size'] = Size, ['Table Entries'] = Entries, ['Size per Entry'] = 1.0 * Size / Entries | order by ['Table Size'] desc

Explanation

This query calculates the size of the combined Device* tables from Defender for Endpoint based on the device name. It uses a data connector called M365 Defender - Device* tables. The query filters the data to include only the entries from the past 7 days. It then summarizes the data by device name, counting the number of entries and calculating the total size. The results are projected into a table with columns for Device Name, Table Size, Table Entries, and Size per Entry. The final output is ordered by Table Size in descending order.

Details

Matt Zorich

Released: June 17, 2022

Tables

DeviceTvmDeviceNetworkDeviceRegistryDeviceFileDeviceProcessDeviceImageDeviceLogonDeviceSecurityEventDeviceAlertDevicePrintDeviceRegistryValueDeviceRegistryKeyDeviceRegistryValueChangeDeviceRegistryKeyChangeDeviceRegistryValueChangeV2DeviceRegistryKeyChangeV2DeviceProcessEventsDeviceProcessEventsV2DeviceProcessEventsV3DeviceProcessEventsV4DeviceProcessEventsV5DeviceProcessEventsV6DeviceProcessEventsV7DeviceProcessEventsV8DeviceProcessEventsV9DeviceProcessEventsV10DeviceProcessEventsV11DeviceProcessEventsV12DeviceProcessEventsV13DeviceProcessEventsV14DeviceProcessEventsV15DeviceProcessEventsV16DeviceProcessEventsV17DeviceProcessEventsV18DeviceProcessEventsV19DeviceProcessEventsV20DeviceProcessEventsV21DeviceProcessEventsV22DeviceProcessEventsV23DeviceProcessEventsV24DeviceProcessEventsV25DeviceProcessEventsV26DeviceProcessEventsV27DeviceProcessEventsV28DeviceProcessEventsV29DeviceProcessEventsV30DeviceProcessEventsV31DeviceProcessEventsV32DeviceProcessEventsV33DeviceProcessEventsV34DeviceProcessEventsV35DeviceProcessEventsV36DeviceProcessEventsV37DeviceProcessEventsV38DeviceProcessEventsV39DeviceProcessEventsV40DeviceProcessEventsV41DeviceProcessEventsV42DeviceProcessEventsV43DeviceProcessEventsV44DeviceProcessEventsV45DeviceProcessEventsV46DeviceProcessEventsV47DeviceProcessEventsV48DeviceProcessEventsV49DeviceProcessEventsV50DeviceProcessEventsV51DeviceProcessEventsV52DeviceProcessEventsV53DeviceProcessEventsV54DeviceProcessEventsV55DeviceProcessEventsV56DeviceProcessEventsV57DeviceProcessEventsV58DeviceProcessEventsV59DeviceProcessEventsV60DeviceProcessEventsV61DeviceProcessEventsV62DeviceProcessEventsV63DeviceProcessEventsV64DeviceProcessEventsV65DeviceProcessEventsV66DeviceProcessEventsV67DeviceProcessEventsV68DeviceProcessEventsV69DeviceProcessEventsV70DeviceProcessEventsV71DeviceProcessEventsV72DeviceProcessEventsV73DeviceProcessEventsV74DeviceProcessEventsV75DeviceProcessEventsV76DeviceProcessEventsV77DeviceProcessEventsV78DeviceProcessEventsV79DeviceProcessEventsV80DeviceProcessEventsV81DeviceProcessEventsV82DeviceProcessEventsV83DeviceProcessEventsV84DeviceProcessEventsV85DeviceProcessEventsV86DeviceProcessEventsV87DeviceProcessEventsV88DeviceProcessEventsV89DeviceProcessEventsV90DeviceProcessEventsV91DeviceProcessEventsV92DeviceProcessEventsV93DeviceProcessEventsV94DeviceProcessEventsV95DeviceProcessEventsV96DeviceProcessEventsV97DeviceProcessEventsV98DeviceProcessEventsV99DeviceProcessEventsV100DeviceProcessEventsV101DeviceProcessEventsV102DeviceProcessEventsV103DeviceProcessEventsV104DeviceProcessEventsV105DeviceProcessEventsV106DeviceProcessEventsV107DeviceProcessEventsV108DeviceProcessEventsV109DeviceProcessEventsV110DeviceProcessEventsV111DeviceProcessEventsV112DeviceProcessEventsV113DeviceProcessEventsV114DeviceProcessEventsV115DeviceProcessEventsV116DeviceProcessEventsV117DeviceProcessEventsV118DeviceProcessEventsV119DeviceProcessEventsV120DeviceProcessEventsV121DeviceProcessEventsV122DeviceProcessEventsV123DeviceProcessEventsV124DeviceProcessEventsV125DeviceProcessEventsV126DeviceProcessEventsV127DeviceProcessEventsV128DeviceProcessEventsV129DeviceProcessEventsV130DeviceProcessEventsV131DeviceProcessEventsV132DeviceProcessEventsV133DeviceProcessEventsV134DeviceProcessEventsV135DeviceProcessEventsV136DeviceProcessEventsV137DeviceProcessEventsV138DeviceProcessEventsV139DeviceProcessEventsV140DeviceProcessEventsV141DeviceProcessEventsV142DeviceProcessEventsV143DeviceProcessEventsV144DeviceProcessEventsV145DeviceProcessEventsV146DeviceProcessEventsV147DeviceProcessEventsV148DeviceProcessEventsV149DeviceProcessEventsV150DeviceProcessEventsV151DeviceProcessEventsV152DeviceProcessEventsV153DeviceProcessEventsV154DeviceProcessEventsV155DeviceProcessEventsV156DeviceProcessEventsV157DeviceProcessEventsV158DeviceProcessEventsV159DeviceProcessEventsV160DeviceProcessEventsV161DeviceProcessEventsV162DeviceProcessEventsV163DeviceProcessEventsV164DeviceProcessEventsV165DeviceProcessEventsV166DeviceProcessEventsV167DeviceProcessEventsV168DeviceProcessEventsV169DeviceProcessEventsV170DeviceProcessEventsV171DeviceProcessEventsV172DeviceProcessEventsV173DeviceProcessEventsV174DeviceProcessEventsV175DeviceProcessEventsV176DeviceProcessEventsV177DeviceProcessEventsV178DeviceProcessEventsV179DeviceProcessEventsV180DeviceProcessEventsV181DeviceProcessEventsV182DeviceProcessEventsV183DeviceProcessEventsV184DeviceProcessEventsV185DeviceProcessEventsV186DeviceProcessEventsV187DeviceProcessEventsV188DeviceProcessEventsV189DeviceProcessEventsV190DeviceProcessEventsV191DeviceProcessEventsV192DeviceProcessEventsV193DeviceProcessEventsV194DeviceProcessEventsV195DeviceProcessEventsV196DeviceProcessEventsV197DeviceProcessEventsV198DeviceProcessEventsV199DeviceProcessEventsV200DeviceProcessEventsV201DeviceProcessEventsV202DeviceProcessEventsV203DeviceProcessEventsV204DeviceProcessEventsV205DeviceProcessEventsV206DeviceProcessEventsV207DeviceProcessEventsV208DeviceProcessEventsV209DeviceProcessEventsV210DeviceProcessEventsV211DeviceProcessEventsV212DeviceProcessEventsV213DeviceProcessEventsV214DeviceProcessEventsV215DeviceProcessEventsV216DeviceProcessEventsV217DeviceProcessEventsV218DeviceProcessEventsV219DeviceProcessEventsV220DeviceProcessEventsV221DeviceProcessEventsV222DeviceProcessEventsV223DeviceProcessEventsV224DeviceProcessEventsV225DeviceProcessEventsV226DeviceProcessEventsV227DeviceProcessEventsV228DeviceProcessEventsV229DeviceProcessEventsV230DeviceProcessEventsV231DeviceProcessEventsV232DeviceProcessEventsV233DeviceProcessEventsV234DeviceProcessEventsV235DeviceProcessEventsV236DeviceProcessEventsV237DeviceProcessEventsV238DeviceProcessEventsV239DeviceProcessEventsV240DeviceProcessEventsV241DeviceProcessEventsV242DeviceProcessEventsV243DeviceProcessEventsV244DeviceProcessEventsV245DeviceProcessEventsV246DeviceProcessEventsV247DeviceProcessEventsV248DeviceProcessEventsV249DeviceProcessEventsV250DeviceProcessEventsV251DeviceProcessEventsV252DeviceProcessEventsV253DeviceProcessEventsV254DeviceProcessEventsV255DeviceProcessEventsV256DeviceProcessEventsV257DeviceProcessEventsV258DeviceProcessEventsV259DeviceProcessEventsV260DeviceProcessEventsV261DeviceProcessEventsV262DeviceProcessEventsV263DeviceProcessEventsV264DeviceProcessEventsV265DeviceProcessEventsV266DeviceProcessEventsV267DeviceProcessEventsV268DeviceProcessEventsV269DeviceProcessEventsV270DeviceProcessEventsV271DeviceProcessEventsV272DeviceProcessEventsV273DeviceProcessEventsV274DeviceProcessEventsV275DeviceProcessEventsV276DeviceProcessEventsV277DeviceProcessEventsV278DeviceProcessEventsV279DeviceProcessEventsV280DeviceProcessEventsV281DeviceProcessEventsV282DeviceProcessEventsV283DeviceProcessEventsV284DeviceProcessEventsV285DeviceProcessEventsV286DeviceProcessEventsV287DeviceProcessEventsV288DeviceProcessEventsV289DeviceProcessEventsV290DeviceProcessEventsV291DeviceProcessEventsV292DeviceProcessEventsV293DeviceProcessEventsV294DeviceProcessEventsV295DeviceProcessEventsV296DeviceProcessEventsV297DeviceProcessEventsV298DeviceProcessEventsV299DeviceProcessEventsV300DeviceProcessEventsV301DeviceProcessEventsV302DeviceProcessEventsV303DeviceProcessEventsV304DeviceProcessEventsV305DeviceProcessEventsV306DeviceProcessEventsV307DeviceProcessEventsV308DeviceProcessEventsV309DeviceProcessEventsV310DeviceProcessEventsV311DeviceProcessEventsV312DeviceProcessEventsV313DeviceProcessEventsV314DeviceProcessEventsV315DeviceProcessEventsV316DeviceProcessEventsV317DeviceProcessEventsV318DeviceProcessEventsV319DeviceProcessEventsV320DeviceProcessEventsV321DeviceProcessEventsV322DeviceProcessEventsV323DeviceProcessEventsV324DeviceProcessEventsV325DeviceProcessEventsV326DeviceProcessEventsV327DeviceProcessEventsV328DeviceProcessEventsV329DeviceProcessEventsV330DeviceProcessEventsV331DeviceProcessEventsV332DeviceProcessEventsV333DeviceProcessEventsV334DeviceProcessEventsV335DeviceProcessEventsV336DeviceProcessEventsV337DeviceProcessEventsV338DeviceProcessEventsV339DeviceProcessEventsV340DeviceProcessEventsV341DeviceProcessEventsV342DeviceProcessEventsV343DeviceProcessEventsV344DeviceProcessEventsV345DeviceProcessEventsV346DeviceProcessEventsV347DeviceProcessEventsV348DeviceProcessEventsV349DeviceProcessEventsV350DeviceProcessEventsV351DeviceProcessEventsV352DeviceProcessEventsV353DeviceProcessEventsV354DeviceProcessEventsV355DeviceProcessEventsV356DeviceProcessEventsV357DeviceProcessEventsV358DeviceProcessEventsV359DeviceProcessEventsV360DeviceProcessEventsV361DeviceProcessEventsV362DeviceProcessEventsV363DeviceProcessEventsV364DeviceProcessEventsV365DeviceProcessEventsV366DeviceProcessEventsV367DeviceProcessEventsV368DeviceProcessEventsV369DeviceProcessEventsV370DeviceProcessEventsV371DeviceProcessEventsV372DeviceProcessEventsV373DeviceProcessEventsV374DeviceProcessEventsV375DeviceProcessEventsV376DeviceProcessEventsV377DeviceProcessEventsV378DeviceProcessEventsV379DeviceProcessEventsV380DeviceProcessEventsV381DeviceProcessEventsV382DeviceProcessEventsV383DeviceProcessEventsV384DeviceProcessEventsV385DeviceProcessEventsV386DeviceProcessEventsV387DeviceProcessEventsV388DeviceProcessEventsV389DeviceProcessEventsV390DeviceProcessEventsV391DeviceProcessEventsV392DeviceProcessEventsV393DeviceProcessEventsV394DeviceProcessEventsV395DeviceProcessEventsV396DeviceProcessEventsV397DeviceProcessEventsV398DeviceProcessEventsV399DeviceProcessEventsV400DeviceProcessEventsV401DeviceProcessEventsV402DeviceProcessEventsV403DeviceProcessEventsV404DeviceProcessEventsV405DeviceProcessEventsV406DeviceProcessEventsV407DeviceProcessEventsV408DeviceProcessEventsV409DeviceProcessEventsV410DeviceProcessEventsV411DeviceProcessEventsV412DeviceProcessEventsV413DeviceProcessEventsV414DeviceProcessEventsV415DeviceProcessEventsV416DeviceProcessEventsV417DeviceProcessEventsV418DeviceProcessEventsV419DeviceProcessEventsV420DeviceProcessEventsV421DeviceProcessEventsV422DeviceProcessEventsV423DeviceProcessEventsV424DeviceProcessEventsV425DeviceProcessEventsV426DeviceProcessEventsV427DeviceProcessEventsV428DeviceProcessEventsV429DeviceProcessEventsV430DeviceProcessEventsV431DeviceProcessEventsV432DeviceProcessEventsV433DeviceProcessEventsV434DeviceProcessEventsV435DeviceProcessEventsV436DeviceProcessEventsV437DeviceProcessEventsV438DeviceProcessEventsV439DeviceProcessEventsV440DeviceProcessEventsV441DeviceProcessEventsV442DeviceProcessEventsV443DeviceProcessEventsV444DeviceProcessEventsV445DeviceProcessEventsV446DeviceProcessEventsV447DeviceProcessEventsV448DeviceProcessEventsV449DeviceProcessEventsV450DeviceProcessEventsV451DeviceProcessEventsV452DeviceProcessEventsV453DeviceProcessEventsV454DeviceProcessEventsV455DeviceProcessEventsV456DeviceProcessEventsV457DeviceProcessEventsV458DeviceProcessEventsV459DeviceProcessEventsV460DeviceProcessEventsV461DeviceProcessEventsV462DeviceProcessEventsV463DeviceProcessEventsV464DeviceProcessEventsV465DeviceProcessEventsV466DeviceProcessEventsV467DeviceProcessEventsV468DeviceProcessEventsV469DeviceProcessEventsV470DeviceProcessEventsV471DeviceProcessEventsV472DeviceProcessEventsV473DeviceProcessEventsV474DeviceProcessEventsV475DeviceProcessEventsV476DeviceProcessEventsV477DeviceProcessEventsV478DeviceProcessEventsV479DeviceProcessEventsV480DeviceProcessEventsV481DeviceProcessEventsV482DeviceProcessEventsV483DeviceProcessEventsV484DeviceProcessEventsV485DeviceProcessEventsV486DeviceProcessEventsV487DeviceProcessEventsV488DeviceProcessEventsV489DeviceProcessEventsV490DeviceProcessEventsV491DeviceProcessEventsV492DeviceProcessEventsV493DeviceProcessEventsV494DeviceProcessEventsV495DeviceProcessEventsV496DeviceProcessEventsV497DeviceProcessEventsV498DeviceProcessEventsV499DeviceProcessEventsV500DeviceProcessEventsV501DeviceProcessEventsV502DeviceProcessEventsV503DeviceProcessEventsV504DeviceProcessEventsV505DeviceProcessEventsV506DeviceProcessEventsV507DeviceProcessEventsV508DeviceProcessEventsV509DeviceProcessEventsV510DeviceProcessEventsV511DeviceProcessEventsV512DeviceProcessEventsV513DeviceProcessEventsV514DeviceProcessEventsV515DeviceProcessEventsV516DeviceProcessEventsV517DeviceProcessEventsV518DeviceProcessEventsV519DeviceProcessEventsV520DeviceProcessEventsV521DeviceProcessEventsV522DeviceProcessEventsV523DeviceProcessEventsV524DeviceProcessEventsV525DeviceProcessEventsV526DeviceProcessEventsV527DeviceProcessEventsV528DeviceProcessEventsV529DeviceProcessEventsV530DeviceProcessEventsV531DeviceProcessEventsV532DeviceProcessEventsV533DeviceProcessEventsV534DeviceProcessEventsV535DeviceProcessEventsV536DeviceProcessEventsV537DeviceProcessEventsV538DeviceProcessEventsV539DeviceProcessEventsV540DeviceProcessEventsV541DeviceProcessEventsV542DeviceProcessEventsV543DeviceProcessEventsV544DeviceProcessEventsV545DeviceProcessEventsV546DeviceProcessEventsV547DeviceProcessEventsV548DeviceProcessEventsV549DeviceProcessEventsV550DeviceProcessEventsV551DeviceProcessEventsV552DeviceProcessEventsV553DeviceProcessEventsV554DeviceProcessEventsV555DeviceProcessEventsV556DeviceProcessEventsV557DeviceProcessEventsV558DeviceProcessEventsV559DeviceProcessEventsV560DeviceProcessEventsV561DeviceProcessEventsV562DeviceProcessEventsV563DeviceProcessEventsV564DeviceProcessEventsV565DeviceProcessEventsV566DeviceProcessEventsV567DeviceProcessEventsV568DeviceProcessEventsV569DeviceProcessEventsV570DeviceProcessEventsV571DeviceProcessEventsV572DeviceProcessEventsV573DeviceProcessEventsV574DeviceProcessEventsV575DeviceProcessEventsV576DeviceProcessEventsV577DeviceProcessEventsV578DeviceProcessEventsV579DeviceProcessEventsV580DeviceProcessEventsV581DeviceProcessEventsV582DeviceProcessEventsV583DeviceProcessEventsV584DeviceProcessEventsV585DeviceProcessEventsV586DeviceProcessEventsV587DeviceProcessEventsV588DeviceProcessEventsV589DeviceProcessEventsV590DeviceProcessEventsV591DeviceProcessEventsV592DeviceProcessEventsV593DeviceProcessEventsV594DeviceProcessEventsV595DeviceProcessEventsV596DeviceProcessEventsV597DeviceProcessEventsV598DeviceProcessEventsV599DeviceProcessEventsV600DeviceProcessEventsV601DeviceProcessEventsV602DeviceProcessEventsV603DeviceProcessEventsV604DeviceProcessEventsV605DeviceProcessEventsV606DeviceProcessEventsV607DeviceProcessEventsV608DeviceProcessEventsV609DeviceProcessEventsV610DeviceProcessEventsV611DeviceProcessEventsV612DeviceProcessEventsV613DeviceProcessEventsV614DeviceProcessEventsV615DeviceProcessEventsV616DeviceProcessEventsV617DeviceProcessEventsV618DeviceProcessEventsV619DeviceProcessEventsV620DeviceProcessEventsV621DeviceProcessEventsV622DeviceProcessEventsV623DeviceProcessEventsV624DeviceProcessEventsV625DeviceProcessEventsV626DeviceProcessEventsV627DeviceProcessEventsV628DeviceProcessEventsV629DeviceProcessEventsV630DeviceProcessEventsV631DeviceProcessEventsV632DeviceProcessEventsV633DeviceProcessEventsV634DeviceProcessEventsV635DeviceProcessEventsV636DeviceProcessEventsV637DeviceProcessEventsV638DeviceProcessEventsV639DeviceProcessEventsV640DeviceProcessEventsV641DeviceProcessEventsV642DeviceProcessEventsV643DeviceProcessEvents

Keywords

DeviceName,TimeGenerated,ago,Entries,Size,DeviceName,TableSize,TableEntries,SizeperEntry

Operators

unionwithsourcewhereagosummarizecountsumbyprojectorder bydesc

KQL Search