KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Wiped Devices

Query

// Show a list of Devices that have recieved the Wipe command in Intune and also display who or which application has wiped a device.
IntuneAuditLogs
| where OperationName contains "wipe"
| extend User = todynamic(Properties).Actor.UPN // Show the user (initiator) if present.
| extend Application = todynamic(Properties).Actor.ApplicationName // Show the application (initiator) if present.
| extend Device = replace_regex(tostring(todynamic(Properties).TargetObjectIds), @'["\[\]]', "") // Show target device.

Explanation

This query is designed to display a list of devices that have received the 'wipe' command in Intune, a cloud-based service in the enterprise mobility management (EMM) space that helps enable your workforce to be productive while keeping your corporate data protected.

In addition to showing the devices, the query also reveals who or which application initiated the wipe command. It does this by extracting the user and application information from the audit logs.

The 'extend' command is used to add new columns to the output, showing the user (if available), the application (if available), and the target device that was wiped. The 'replace_regex' function is used to clean up the device ID data by removing unnecessary characters.

Details

Ugur Koc profile picture

Ugur Koc

Released: July 3, 2022

Tables

IntuneAuditLogs

Keywords

IntuneAuditLogs,OperationName,Wipe,User,Properties,Actor,UPN,Application,ApplicationName,Device,TargetObjectIds

Operators

| project DeviceUserApplication

Actions