Query Details
Intune Devices Retrieve Device Info After Wipe
Query
//When an Intune admin initiates a remote wipe of a managed device, retrieve all the relevant information about the device
//Data connector required for this query - Intune data sent to Sentinel workspace
IntuneAuditLogs
| where TimeGenerated > ago (1d)
| where OperationName == "wipe ManagedDevice"
| extend DeviceId = tostring(parse_json(tostring(parse_json(Properties).TargetObjectIds))[0])
| project TimeGenerated, Actor=Identity, DeviceId
| join kind=inner(
IntuneDevices
//Go back 7 days to make sure we have information on the device and retrieve the lastest record
| where TimeGenerated > ago(7d)
| summarize arg_max(TimeGenerated, *) by DeviceId
)
on DeviceId
| project
TimeGenerated,
Actor,
DeviceId,
Model,
SerialNumber,
OS,
PrimaryUser=UserEmail,
Ownership,
ManagedBy,
LastContactExplanation
This query retrieves relevant information about a managed device when an Intune admin initiates a remote wipe. It uses the IntuneAuditLogs and IntuneDevices data connectors in the Sentinel workspace. The query filters for Intune audit logs generated in the past day for the "wipe ManagedDevice" operation. It then joins the IntuneDevices data to retrieve additional device information. The final result includes the time of the wipe, the admin who initiated it, the device ID, model, serial number, operating system, primary user email, ownership status, managed by information, and last contact details.
Details
Matt Zorich
Released: June 17, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogs,TimeGenerated,OperationName,wipeManagedDevice,DeviceId,Properties,TargetObjectIds,Actor,Identity,IntuneDevices,Model,SerialNumber,OS,PrimaryUser,UserEmail,Ownership,ManagedBy,LastContact
Operators
|whereextendprojectjoinsummarizeon