Forum Discussion
LaML415
Jan 18, 2022Copper Contributor
KQL for all user Devices?
Is they away to pull in all device information per user, not just intune but all mdm solution, as well as the join types?
Couldn't find any pointers within the query packs.
Regards
- Clive_WatsonBronze Contributor
Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)
// left Table IntuneAuditLogs | distinct Identity | join ( // right Table - replace with name you are using for your "other MDM data" SigninLogs | distinct Identity ) on Identity
Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example).
For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW" the join wont work (no match).// left Table IntuneAuditLogs | distinct Identity | join ( // right Table - replace with name you are using for your "other MDM data" mdmFakeTable | distinct myFakeIdentityTable ) on $left.Identity == $right.myFakeIdentityTable