KQL Search

Query Details

HomeAI ToolsDevice Query

Intune Compliance Failuresby Reason

Query

//Compliance Failures by Failure Reason
let ComplianceLogs=
IntuneOperationalLogs 
| where OperationName == "Compliance" 
| project TimeGenerated, Properties;
ComplianceLogs
| sort by TimeGenerated desc
| join (
ComplianceLogs
| extend myJson = todynamic(Properties)
| project-away Properties
| extend IntuneDeviceId=tostring(myJson["IntuneDeviceId"]) 
| project TimeGenerated, IntuneDeviceId
| summarize TimeGenerated=max(TimeGenerated) by IntuneDeviceId    
) on TimeGenerated
| project-away TimeGenerated1, IntuneDeviceId  
| extend myJson=todynamic(Properties)
| project-away Properties
| extend Description=tostring(myJson["Description"])
| extend Description=tostring(extract("(.*?)_IID_.*", 1, tostring(Description)))
| extend Reason = tostring(extract("(.*?)\\.(.*)", 2, tostring(Description)))
| summarize FailureCount=count() by Reason 
| sort by FailureCount desc

Explanation

This query is analyzing compliance failures and grouping them by the reason for the failure. It retrieves logs related to compliance operations, sorts them by the time they were generated, and then joins them with another set of logs to get the latest time each device had a compliance failure. It extracts the description of the failure, removes unnecessary information, and extracts the reason for the failure. Finally, it summarizes the count of failures for each reason and sorts them in descending order.

Details

Rod Trent profile picture

Rod Trent

Released: July 10, 2020

Tables

IntuneOperationalLogs

Keywords

Compliance,Failure,Reason

Operators

whereprojectsort byjoinextendsummarizecount()tostringtodynamicextract

Actions