KQL Search

Query Details

HomeAI ToolsDevice Query

Intune Devices Visualize Matching Device Ids

Query

//Visualize devices in intune with the same intune and Azure AD Id per week by join type

//Data connector required for this query - Intune data sent to Sentinel workspace

IntuneDevices
| where TimeGenerated > ago (180d)
| summarize arg_max(TimeGenerated, *) by DeviceName, startofweek(TimeGenerated)
| where DeviceId == ReferenceId
| where OS == 'Windows'
| summarize count()by startofweek(TimeGenerated), JoinType
| where isnotempty( JoinType)
| render columnchart with (kind=unstacked, title="Devices with the same Azure AD and Intune device Id per week by join type")

Explanation

This query is used to visualize devices in Intune that have the same Intune and Azure AD ID per week, categorized by join type. It requires a data connector for Intune data sent to a Sentinel workspace.

The query filters the data to include only devices with a TimeGenerated value within the last 180 days. It then identifies the latest record for each device and week using the arg_max function. The query further filters the data to include only Windows devices and devices where the DeviceId matches the ReferenceId.

The query then summarizes the count of devices per week and join type. It filters out any empty join types. Finally, it renders the results as a column chart with the title "Devices with the same Azure AD and Intune device Id per week by join type".

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IntuneDevices

Keywords

Devices,Intune,AzureAD,Id,week,jointype

Operators

where>agosummarizearg_maxbywhere==ReferenceIdwhere=='Windows'summarizecount()bywhereisnotemptyrender

Actions