DeviceFileEvents
| where ActionType == "FileDeleted"
| where FolderPath startswith @"C:\Users"
| join kind=inner (
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
) on DeviceId
| where DeviceType == "Server"
| project Timestamp, DeviceName, ReportId, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256
| order by Timestamp desc