Jan 19 2022 05:02 AM
Rod has some KQL intune examples here: rod-trent/SentinelKQL: Azure Sentinel KQL (github.com)
// left Table
IntuneAuditLogs
| distinct Identity
| join
(
// right Table - replace with name you are using for your "other MDM data"
SigninLogs
| distinct Identity
) on Identity
Its probable your "other" MDM table doesn't have a column name called "Identity" so you may need to adjust the Join (see next example).
For a join the data in the Left Table has to match the one in the right - i.e if the left Identity value = "Clive" and the right identity = "CliveW" the join wont work (no match).
// left Table
IntuneAuditLogs
| distinct Identity
| join
(
// right Table - replace with name you are using for your "other MDM data"
mdmFakeTable
| distinct myFakeIdentityTable
) on $left.Identity == $right.myFakeIdentityTable