Forum Discussion
Unable to query "Device" field in Activity Log
Hi TechCommunity,
I've got an issue where I am currently unable to run query's against the "Device" field in the Activity Log.
To get the basics out of the way, I've added both our O365 & Azure instances to MDCA and I'm able to successfully identify devices that are logging in to applications registered in our AAD. I can also see if those devices are "compliant & managed" from the raw source data within those event entries.
So I'm thinking I've something wrong here? Does MDCA not pull device info from the AAD sign in log entry?
Any help is appreciated,
Thanks Team
2 Replies
- Keith_Fleming
Microsoft
Hi Lazy_Extrovert,
Defender for Cloud Apps does pull the device status from sign in logs. I would expect to see compliant device status for successful or failed sign ins.
Some data you see in the activity logs is coming from other sources that might not contain this information though (SPO/OD activities for instance).
A search like this should show that information:
Hi Keith_Fleming,
Thanks for the reply
That's exactly what I'm attempting to do. Looking into the raw data of the log on events from O365 I can see the "IsDeviceCompliantAndManaged: true" parameter, and yet, when I go to query log on events that are from devices that are managed/compliant, I get no results.
I think I'll just hit up Microsoft with this and see what they think.
Cheers
