Query Details
Audit Deleted Devices
Query
IntuneAuditLogs | where OperationName contains "Delete Manageddevice" | extend User = todynamic(Properties).Actor.UPN | extend Application = todynamic(Properties).Actor.ApplicationName | extend Device = replace_regex(tostring(todynamic(Properties).TargetObjectIds), @'["\[\]]', "")
Explanation
This query is looking at Intune Audit Logs and filtering for operations where the name contains "Delete Manageddevice". It then extracts the User Principal Name (UPN) and Application Name from the Actor properties and assigns them to new columns named 'User' and 'Application'. It also extracts the TargetObjectIds from the Properties, converts it to a string, removes any square brackets or quotation marks, and assigns this to a new column named 'Device'.
Details
Ugur Koc
Released: July 12, 2022
Tables
IntuneAuditLogs
Keywords
IntuneAuditLogs,OperationName,DeleteManageddevice,User,Properties,Actor,UPN,Application,ApplicationName,Device,TargetObjectIds
Operators
IntuneAuditLogswherecontainsextendtodynamicreplace_regextostring.