Query Details
Audit Show Enable Lost Mode Devices
Query
// Show devices for which the enableLostMode was activated and who initiated that. IntuneAuditLogs | where OperationName has "enableLostMode" | extend User = tostring(todynamic(Properties).Actor.UPN) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId // DeviceName from IntuneDevices | distinct TimeGenerated, User, DeviceName | sort by TimeGenerated desc
Explanation
This query is pulling data from the IntuneAuditLogs to show which devices have had the "enableLostMode" operation activated. It also shows who initiated this operation. The query then joins this data with the IntuneDevices data to get the device name. The results are unique entries, sorted by the time they were generated, with the most recent entries shown first.
Details
Ugur Koc
Released: July 26, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogs,OperationName,Properties,Actor,UPN,DeviceId,TargetObjectIds,IntuneDevices,DeviceName,TimeGenerated,User
Operators
IntuneAuditLogswherehasextendtostringtodynamicjoinkind=leftouterIntuneDevicesondistinctTimeGeneratedUserDeviceNamesort bydesc.