Query Details
Device Find New Events
Query
//Find any new DeviceEvents found in your environment over the last week compared to the last 6 months
//Data connector required for this query - M365 Defender - Device* tables
//First find existing action types over the six months
let knownevents=
DeviceEvents
| where TimeGenerated > ago (180d) and TimeGenerated < ago(7d)
| distinct ActionType;
//Find new action types in the last week, the time they were first seen and how many counts seen this week
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType !in (knownevents)
| summarize ['First Time Seen']=min(TimeGenerated), Count=count() by ActionType
| sort by Count desc Explanation
This query is looking for any new DeviceEvents that have occurred in the environment over the last week compared to the previous six months. It first identifies the existing action types that have occurred in the past six months. Then, it finds any new action types that have occurred in the last week, along with the time they were first seen and the count of how many times they have occurred in the past week. The results are sorted by the count in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,ActionType,knownevents,FirstTimeSeen,Count
Operators
whereagodistinctinsummarizemincountbysort