Device Visualize When Your Devices Last Contacted Intune

// Visualize when your devices last contacted Intune // See here: https://github.com/reprise99/Sentinel-Queries/blob/main/Intune/IntuneDevices-VisualizeLastContact.kql IntuneDevices | where TimeGenerated > ago(90d) | where isnotempty(LastContact) //Retrieve latest record for each DeviceId | summarize arg_max(TimeGenerated, *) by DeviceId //Convert string to datetime format | extend LastContactTime = todatetime(LastContact) | project DeviceId, LastContactTime //Exclude devices reporting as 0001-01-01 | where LastContactTime <> todatetime('0001-01-01T00:00:00Z') //Group by month and render chart | summarize ['Device Count']=count()by startofmonth(LastContactTime) | render columnchart with (title="Intune devices by last contact time", xtitle="Month")

Explanation

This query is designed to visualize when devices last contacted Microsoft Intune within the past 90 days. It first filters out any records where the 'LastContact' field is empty and then retrieves the most recent record for each device ID. It then converts the 'LastContact' field from a string to a datetime format and excludes any devices that are reporting a 'LastContactTime' of '0001-01-01'. Finally, it groups the data by month and displays it in a column chart, with the number of devices on the y-axis and the month on the x-axis. The chart is titled "Intune devices by last contact time".

Details

Ugur Koc

Released: August 2, 2022

Tables

IntuneDevices

Keywords

IntuneDevices,TimeGenerated,LastContact,DeviceId,LastContactTime,DeviceCount,Month

Operators

IntuneDeviceswhereTimeGeneratedago()isnotempty()LastContactsummarizearg_max()byDeviceIdextendtodatetime()projectLastContactTimestartofmonth()count()rendercolumnchartwithtitlextitle.

KQL Search