Query Details
List Devices Array
Query
```kql
// This query will simply list the devices pasted into the data table in the query results
// Use a query such as this to list devices you wish to "Take Action" on: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-take-action?view=o365-worldwide
let devices = datatable(DeviceName:string)
[
"desktop-nlrbega",
"desktop-l68o7q9",
"desktop-abc123",
"desktop-xyz789"
];
DeviceInfo
| join kind=inner devices on DeviceName
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, DeviceId
| order by DeviceName asc
```
Explanation
This query is designed to identify and list specific devices from a predefined list. Here's a simple breakdown of what it does:
-
Define a List of Devices: It starts by creating a temporary table (
datatable) containing a list of device names you are interested in, such as "desktop-nlrbega", "desktop-l68o7q9", "desktop-abc123", and "desktop-xyz789". -
Join with Device Information: It then performs an inner join between this list and the
DeviceInfotable, which contains detailed information about devices. The join is based on matching device names (DeviceName). -
Select the Latest Record for Each Device: The query uses
summarize arg_max(Timestamp, *) by DeviceIdto select the most recent record for each device, ensuring that the latest information is retrieved. -
Project Relevant Columns: It projects (selects) only the
DeviceNameandDeviceIdcolumns to be included in the final output. -
Order the Results: Finally, it orders the results alphabetically by
DeviceName.
In essence, this query helps you extract and display the most recent information for a specific set of devices from a larger dataset, which can be useful for taking further actions on these devices.
Details
Nathan Hutchinson
Released: March 18, 2026
Tables
Keywords
Operators