DeviceProcessEvents
| join kind=innerunique DeviceInfo on DeviceName
| where FileName contains "vcredist"
| where DeviceType contains "Workstation"
| where ProcessVersionInfoProductVersion matches regex "^([6-9]|1[0-1])." // 6..11 for v2005..2012
| distinct
Timestamp,
DeviceName,
ProcessVersionInfoProductName,
ProcessVersionInfoProductVersion,
InitiatingProcessFileName,
InitiatingProcessVersionInfoProductName,
InitiatingProcessParentFileName,
AccountDomain, AccountName
| project
Timestamp,
DeviceName = split(DeviceName,".").[0],
ProcessVersionInfoProductName,
ProcessVersionInfoProductVersion,
InitiatingProcessFileName,
InitiatingProcessVersionInfoProductName,
InitiatingProcessParentFileName,
Username = strcat(AccountDomain,"/",AccountName)
//| extend DeviceName = split(DeviceName,".").[0]
| sort by Timestamp
Scripting, Etc. 