KQL Search

This KQL (Kusto Query Language) query is designed to calculate the number of devices that have been successfully onboarded, categorized by their operating system (OS), in a security environment such as Microsoft Defender for Endpoint or Azure Sentinel.

Here's a breakdown of the query in simple terms:

1. The query starts by accessing the DeviceInfo table, which contains records of devices and their attributes.

2. It filters the data to include only those records where the OnboardingStatus is equal to "Onboarded", meaning it only looks at devices that have completed the onboarding process.

3. The query then uses the summarize function with arg_max(Timestamp, *) by DeviceId to get the latest record for each device, ensuring that if there are multiple records for a single device, only the most recent one is considered.

4. Finally, it uses another summarize function to count the total number of devices (TotalDevices) and groups them by the OSPlatform field, which represents the operating system of the devices.

The result of this query will be a summary table that lists each operating system along with the number of devices onboarded for that particular OS. This information is useful for understanding the distribution of onboarded devices across different operating systems within the organization's network.