Query Details
Audit Show Located Devices
Query
// Show Devices for which the option “Locate Device“ was used. IntuneAuditLogs | where OperationName has "locateDevice" | extend User = tostring(todynamic(Properties).Actor.UPN) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId // DeviceName from IntuneDevices | distinct TimeGenerated, User, DeviceName | sort by TimeGenerated desc
Explanation
This query is pulling data from the IntuneAuditLogs to find instances where the "Locate Device" operation was used. It then extracts the user and device ID associated with each of these instances. It then joins this data with the IntuneDevices data, matching on the device ID. The result is a list of unique instances (based on the time they were generated, the user, and the device name) where the "Locate Device" operation was used, sorted in descending order by the time they were generated.
Details
Ugur Koc
Released: July 25, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogs,OperationName,LocateDevice,User,Properties,Actor,UPN,DeviceId,TargetObjectIds,IntuneDevices,DeviceName,TimeGenerated
Operators
IntuneAuditLogswherehasextendtostringtodynamicPropertiesActor.UPNTargetObjectIdsjoinkind=leftouterIntuneDevicesDeviceIddistinctTimeGeneratedUserDeviceNamesort bydesc.