Forum Discussion
RE: Tracking Compliance Status changes for Intune Device(s) with KQL/Playbook
Hello, I am looking to build a Playbook based on Intune and Compliance Status. First I have the following KQL query to check for 'Non-Compliance' status... IntuneDeviceComplianceOrg | wh...
JMSHW0420
It will be something like this. Lines 1-15 are ok, you will have to play with 16 onwards - the Device details are only in the SecurityAlert so you have to use that for a join (I didnt look closely, so this is just the start of a solution).
let notCompliant_ =
IntuneDeviceComplianceOrg
// from 7days to 1day ago
| where TimeGenerated between (ago(7d) ..ago(1d))
| where isnotempty(DeviceHealthThreatLevel)
| where ComplianceState != "Compliant"
| distinct DeviceName;
IntuneDeviceComplianceOrg
// from 1d to now
| where TimeGenerated between (ago(1d) ..now() )
| where isnotempty(DeviceHealthThreatLevel)
// only show if Device was previously in the non comoliant list
| where ComplianceState == "Compliant" and DeviceName in (notCompliant_)
| project TimeGenerated, ComplianceState, DeviceName, DeviceId, OS, UserName, UserEmail
| summarize arg_max(TimeGenerated, *) by DeviceId
|join (
SecurityAlert
| where TimeGenerated between (ago(7d) ..now())
| where AlertName =="Non-Compliant Device Detected"
| extend DeviceName = tostring(parse_json(Entities)[1].HostName)
) on DeviceName
Hi Clive_Watson,
Thank you for the response.
Had worked on something similar from lines 1- 7 BUT really do appreciate the remaining content of the query.
I look at lines 16 onwards and come back to you later in the week, IF OK?
Again, grateful for your help.
Thank you for the response.
Had worked on something similar from lines 1- 7 BUT really do appreciate the remaining content of the query.
I look at lines 16 onwards and come back to you later in the week, IF OK?
Again, grateful for your help.