cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel Alert - Alert on new device registration

K_E
Brass Contributor

‎Feb 28 2023 04:51 AM

‎Feb 28 2023 04:51 AM

Sentinel Alert - Alert on new device registration

Hi,
i'm looking for a query to alert me on new device registrations.

The following query returns a result but i never gets an alert mail.

What time range should I enter here?
Is the query wrong?

 

 

 

IntuneDevices
| where todatetime(CreatedDate) > ago(1d)
| distinct DeviceName, SerialNumber, CreatedDate, Model

 

 

 

Labels:
1,375 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Feb 28 2023 08:14 AM - edited ‎Feb 28 2023 08:16 AM

‎Feb 28 2023 08:14 AM - edited ‎Feb 28 2023 08:16 AM

Re: Sentinel Alert - Alert on new device registration

@K_E 

 

I'm not sure what the createdDate is, but in my system its normally much older than 1hr (often months). 

In Sentinel TimeGenerated is normally used.  e.g. 

 

 

IntuneDevices
| where TimeGenerated > ago(1d)
| distinct DeviceName, SerialNumber, CreatedDate, Model, TimeGenerated

 



There are some examples here: Search · intunedevices (github.com)

1 Like
Reply