KQL Search

Query Details

Visualization File Types

Query

# Visualize FileTypes based on DeviceFileEvents

### Defender For Endpoint

```
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| extend FileType = tostring(parse_json(AdditionalFields).FileType)
| where isnotempty(FileType)
| summarize Total = count() by FileType
| render piechart with(title="FileTypes used")
```
### Sentinel
```
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| extend FileType = tostring(parse_json(AdditionalFields).FileType)
| where isnotempty(FileType)
| summarize Total = count() by FileType
| render piechart with(title="FileTypes used")
```

Explanation

The query retrieves DeviceFileEvents from the Defender for Endpoint and Sentinel data sources within a specified time frame. It then extracts the FileType from the AdditionalFields property, filters out empty FileType values, and calculates the count of each FileType. Finally, it visualizes the results in a pie chart titled "FileTypes used."

Details

Bert-Jan Pals

Released: February 14, 2024

Tables

DeviceFileEvents

Keywords

Keywords:Devices,Intune,User,FileTypes,DeviceFileEvents,DefenderForEndpoint,Sentinel

Operators

whereextendtostringparse_jsonisnotemptysummarizecountrender

KQL Search

Visualization File Types

Query

Explanation

Details

Actions