KQL Search

Query Details

HomeAI ToolsDevice Query

Intune Devices Notin Compliance

Query

let ComplianceLogs=
IntuneOperationalLogs 
| where OperationName == "Compliance" 
| project TimeGenerated, Properties;
ComplianceLogs
| sort by TimeGenerated desc
| join (
ComplianceLogs
| extend myJson = todynamic(Properties)
| project-away Properties
| extend IntuneDeviceId=tostring(myJson["IntuneDeviceId"]) 
| project TimeGenerated, IntuneDeviceId
| summarize TimeGenerated=max(TimeGenerated) by IntuneDeviceId    
) on TimeGenerated
| project-away TimeGenerated1, IntuneDeviceId  
| summarize EventCount=count() by bin(TimeGenerated, {TimeRange:grain})

Explanation

The query retrieves compliance logs from IntuneOperationalLogs, filters them for the "Compliance" operation, and selects the TimeGenerated and Properties fields. It then sorts the logs by TimeGenerated in descending order.

Next, it joins the compliance logs with another set of compliance logs. In this second set, it converts the Properties field to a dynamic object, removes the Properties field, and extracts the IntuneDeviceId from the dynamic object. It then selects the TimeGenerated and IntuneDeviceId fields and summarizes the maximum TimeGenerated for each IntuneDeviceId.

The query then joins the two sets of logs based on the TimeGenerated field and removes the TimeGenerated1 and IntuneDeviceId fields. Finally, it summarizes the count of events by grouping them into time intervals based on the specified grain.

Details

Rod Trent profile picture

Rod Trent

Released: July 10, 2020

Tables

IntuneOperationalLogs

Keywords

IntuneOperationalLogs,Compliance,TimeGenerated,Properties,sort,join,extend,myJson,project-away,IntuneDeviceId,summarize,EventCount,bin,TimeRange,grain

Operators

whereprojectsort byjoinextendproject-awaysummarizecount()bin

Actions