Query Details
Intune Devices Find Detailsof Non Compliant Devices
Query
//When Azure AD flags a device as non compliant, retrieve the details about the devices from Intune
//Data connector required for this query - Intune data sent to Sentinel workspace
//First find the device name from the 'device no longer compliant' action
let devices=
AuditLogs
| where TimeGenerated > ago (1d)
| where OperationName == "Device no longer compliant"
| extend DeviceName = tostring(TargetResources[0].displayName)
| distinct DeviceName;
//Lookup those devices in the IntuneDevices table, and retrieve the latest record
IntuneDevices
| where TimeGenerated > ago (7d)
| summarize arg_max(TimeGenerated, *) by DeviceName
| where DeviceName in (devices)Explanation
This query retrieves details about devices that have been flagged as non-compliant by Azure AD. It uses the Intune data connector in Sentinel to gather the necessary information.
First, it identifies the device name from the 'device no longer compliant' action in the AuditLogs. It then looks up those devices in the IntuneDevices table and retrieves the latest record for each device. Finally, it filters the results to only include the devices found in the initial step.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogsIntuneDevices
Keywords
AzureAD,Device,NonCompliant,Intune,DataConnector,SentinelWorkspace,DeviceName,AuditLogs,TimeGenerated,OperationName,TargetResources,displayName,distinct,IntuneDevices,summarize,arg_max
Operators
wheresummarizearg_maxbyin