Query Details

EntraID - Microsoft Defender for Endpoint - Security Settings Management - Device Registrations

Entra ID MDE Device Registrations

Query

AuditLogs
| where OperationName == "Update device" or OperationName == 'Add device'
| where Identity == "Microsoft Intune"
| extend modifiedProperties = parse_json(TargetResources)[0].modifiedProperties
| mv-expand modifiedProperties
| where modifiedProperties.displayName == "DeviceOSType"
| extend OldValue = tostring(parse_json(tostring(modifiedProperties.oldValue))[0])
| extend NewValue = tostring(parse_json(tostring(modifiedProperties.newValue))[0])
| extend DeviceName = tostring(TargetResources[0].displayName)
| project TimeGenerated, DeviceName, OldValue, NewValue, Identity, AADOperationType

About this query

Explanation

This query helps to track device registrations and changes in device operating system type in Entra ID initiated by Microsoft Defender for Endpoint Security Management. It uses AuditLogs and CloudAppEvents data sources to monitor updates and additions of devices, specifically focusing on the DeviceOSType property. The query extracts relevant information such as the old and new values of the DeviceOSType, device name, and the operation type.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 26, 2024

Tables

AuditLogs CloudAppEvents

Keywords

DeviceIntuneMicrosoftDefenderEndpointSecurityManagementDeviceOSTypeAuditLogsCloudAppEventsAccountDisplayNameTargetResourcesTargetResourceActionTypeRawEventDataModifiedPropertiesTimeGeneratedIdentityAADOperationTypeDisplayNameNameNewValueOldValue.

Operators

whereextendparse_jsonmv-expandprojectmv-applyextract_json|==or&&tostring

Actions

GitHub