Query Details
Audit Changesin Configuration Profiles
Query
IntuneAuditLogs | where OperationName contains "patch" | extend User = todynamic(Properties).Actor.UPN | extend Apps = todynamic(Properties).Actor.ApplicationName | extend Device = todynamic(Properties).TargetObjectIds //| extend Policy = todynamic(Properties).TargetDisplayNames | extend Policy = replace_regex(tostring(todynamic(Properties).TargetDisplayNames), @'["\[\]]', "") | mv-expand todynamic(Properties).Targets[0].ModifiedProperties | extend Configuration = todynamic(Properties_Targets_0_ModifiedProperties).Name | extend ['New Value'] = todynamic(Properties_Targets_0_ModifiedProperties).New | extend ['Old Value'] = todynamic(Properties_Targets_0_ModifiedProperties).Old | project TimeGenerated, Policy, Configuration, ['New Value'], ['Old Value'], User
Explanation
This query is searching through Intune audit logs for any operations that contain the word "patch". It then extracts the user's UPN (User Principal Name), the name of the application, the target object IDs, and the target display names from the properties of the logs.
The query also removes any square brackets or quotes from the target display names. It then expands the modified properties of the first target and extracts the name of the configuration, the new value, and the old value.
Finally, it displays the time the log was generated, the policy, the configuration, the new value, the old value, and the user.
Details
Ugur Koc
Released: August 2, 2022
Tables
IntuneAuditLogs
Keywords
IntuneAuditLogs,OperationName,Patch,User,Apps,Device,Policy,Configuration,NewValue,OldValue,TimeGenerated
Operators
IntuneAuditLogswherecontainsextendtodynamicreplace_regextostringmv-expandproject.