Query Details
Audit Show Client Certificates
Query
// Show client certificates that have been created, changed or deleted in Intune and who initiated that. IntuneAuditLogs | where OperationName has "ClientCertificate" | extend User = tostring(todynamic(Properties).Actor.UPN) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId // DeviceName from IntuneDevices | distinct TimeGenerated, User, DeviceName, OperationName | sort by TimeGenerated desc
Explanation
This query is designed to display a list of client certificates that have been created, modified, or deleted in Intune, along with the user who initiated the action. It first filters the audit logs for operations related to client certificates. Then, it extracts the user and device ID associated with each operation. It also links the device ID with the device name from the IntuneDevices table. The query then removes any duplicate entries and sorts the results in descending order based on the time the operation was performed.
Details
Ugur Koc
Released: July 28, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogs,OperationName,ClientCertificate,User,Properties,Actor,UPN,DeviceId,TargetObjectIds,IntuneDevices,DeviceName,TimeGenerated
Operators
IntuneAuditLogswherehasextendtostringtodynamicjoinkind=leftouterIntuneDevicesondistinctTimeGeneratedUserDeviceNameOperationNamesort bydesc.