Forum Discussion
Sentinel Alert - Alert on new device registration
Hi,
i'm looking for a query to alert me on new device registrations.
The following query returns a result but i never gets an alert mail.
What time range should I enter here?
Is the query wrong?
IntuneDevices
| where todatetime(CreatedDate) > ago(1d)
| distinct DeviceName, SerialNumber, CreatedDate, Model
I'm not sure what the createdDate is, but in my system its normally much older than 1hr (often months).
In Sentinel TimeGenerated is normally used. e.g.IntuneDevices | where TimeGenerated > ago(1d) | distinct DeviceName, SerialNumber, CreatedDate, Model, TimeGenerated
There are some examples here: Search · intunedevices (github.com)
