Feb 28 2023 04:51 AM
Hi,
i'm looking for a query to alert me on new device registrations.
The following query returns a result but i never gets an alert mail.
What time range should I enter here?
Is the query wrong?
IntuneDevices
| where todatetime(CreatedDate) > ago(1d)
| distinct DeviceName, SerialNumber, CreatedDate, Model
Feb 28 2023 08:14 AM - edited Feb 28 2023 08:16 AM
I'm not sure what the createdDate is, but in my system its normally much older than 1hr (often months).
In Sentinel TimeGenerated is normally used. e.g.
IntuneDevices
| where TimeGenerated > ago(1d)
| distinct DeviceName, SerialNumber, CreatedDate, Model, TimeGenerated
There are some examples here: Search · intunedevices (github.com)