I was able to fix my issue. I simply added the "rename" function in my main table search. | advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count | advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| rename AccountName as user
| stats count by user,DeviceName
| sort -count
... View more