Query Details
Intune Devices Visualize Last Contact
Query
//Visualize when your devices last contacted Intune
//Data connector required for this query - Intune data sent to Sentinel workspace
IntuneDevices
| where TimeGenerated > ago(90d)
| where isnotempty(LastContact)
//Retrieve latest record for each DeviceId
| summarize arg_max(TimeGenerated, *) by DeviceId
//Convert string to datetime format
| extend LastContactTime = todatetime(LastContact)
| project DeviceId, LastContactTime
//Exclude devices reporting as 0001-01-01
| where LastContactTime <> todatetime('0001-01-01T00:00:00Z')
//Group by month and render chart
| summarize ['Device Count']=count()by startofmonth(LastContactTime)
| render columnchart with (title="Intune devices by last contact time", xtitle="Month")
Explanation
This query visualizes the last time your devices contacted Intune. It retrieves data from the Intune data connector in the Sentinel workspace. The query filters the data to include only records from the past 90 days and excludes devices that have not made any contact. It then retrieves the latest record for each device and converts the LastContact field from a string to a datetime format. The query projects the DeviceId and LastContactTime fields and excludes devices with a LastContactTime of '0001-01-01T00:00:00Z'. It groups the data by month and creates a column chart to display the count of devices for each month. The chart title is "Intune devices by last contact time" and the x-axis is labeled "Month".
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators