Jan 18 2022 10:17 AM
Is they away to pull in all device information per user, not just intune but all mdm solution, as well as the join types?
Couldn't find any pointers within the query packs.
Regards
Jan 19 2022 05:02 AM
Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)
// left Table
IntuneAuditLogs
| distinct Identity
| join
(
// right Table - replace with name you are using for your "other MDM data"
SigninLogs
| distinct Identity
) on Identity
Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example).
For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW" the join wont work (no match).
// left Table
IntuneAuditLogs
| distinct Identity
| join
(
// right Table - replace with name you are using for your "other MDM data"
mdmFakeTable
| distinct myFakeIdentityTable
) on $left.Identity == $right.myFakeIdentityTable