cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL for all user Devices?

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3064929%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EKQL%20for%20all%20user%20Devices%3F%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3064929%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EIs%20they%20away%20to%20pull%20in%20all%20device%20information%20per%20user%2C%20not%20just%20intune%20but%20all%20mdm%20solution%2C%20as%20well%20as%20the%20join%20types%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3ECouldn't%20find%20any%20pointers%20within%20the%20query%20packs.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3ERegards%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3064929%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3EKQL%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
LaML415
New Contributor

‎Jan 18 2022 10:17 AM

‎Jan 18 2022 10:17 AM

KQL for all user Devices?

Is they away to pull in all device information per user, not just intune but all mdm solution, as well as the join types?

 

Couldn't find any pointers within the query packs.

 

Regards

 

 

Labels:
238 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Jan 19 2022 05:02 AM

‎Jan 19 2022 05:02 AM

Re: KQL for all user Devices?

@LaML415 

Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)

// left Table
IntuneAuditLogs
| distinct Identity
| join 
( 
 // right Table - replace with name you are using for your "other MDM data"
 SigninLogs
 | distinct Identity 
) on Identity

 

Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example). 
For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW"  the join wont work (no match).

// left Table
IntuneAuditLogs
| distinct Identity
| join 
( 
 // right Table - replace with name you are using for your "other MDM data"
 mdmFakeTable
 | distinct myFakeIdentityTable 
) on $left.Identity == $right.myFakeIdentityTable

 

0 Likes
Reply