KQL for all user Devices?

LaML415 · ‎Jan 18 2022

Is they away to pull in all device information per user, not just intune but all mdm solution, as well as the join types?

Couldn't find any pointers within the query packs.

Regards

Clive_Watson · ‎Jan 19 2022

@LaML415

Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)

// left Table
IntuneAuditLogs
| distinct Identity
| join 
( 
 // right Table - replace with name you are using for your "other MDM data"
 SigninLogs
 | distinct Identity 
) on Identity

Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example).
For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW" the join wont work (no match).

// left Table
IntuneAuditLogs
| distinct Identity
| join 
( 
 // right Table - replace with name you are using for your "other MDM data"
 mdmFakeTable
 | distinct myFakeIdentityTable 
) on $left.Identity == $right.myFakeIdentityTable

Products (68)

Special Topics (42)

Video Hub (954)

Most Active Hubs

Most Active Hubs

Video Hub

KQL for all user Devices?

KQL for all user Devices?

Re: KQL for all user Devices?