Forum Discussion

LaML415's avatar
LaML415
Copper Contributor
Jan 18, 2022

KQL for all user Devices?

Is they away to pull in all device information per user, not just intune but all mdm solution, as well as the join types?

 

Couldn't find any pointers within the query packs.

 

Regards

 

 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    LaML415 

    Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)

    // left Table
    IntuneAuditLogs
    | distinct Identity
    | join 
    ( 
     // right Table - replace with name you are using for your "other MDM data"
     SigninLogs
     | distinct Identity 
    ) on Identity 

     

    Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example). 
    For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW"  the join wont work (no match).

    // left Table
    IntuneAuditLogs
    | distinct Identity
    | join 
    ( 
     // right Table - replace with name you are using for your "other MDM data"
     mdmFakeTable
     | distinct myFakeIdentityTable 
    ) on $left.Identity == $right.myFakeIdentityTable

     

Resources