KQL Search

Query Details

MDE Entra Synthetic Device

Query

# Microsoft Defender for Endpoint - Security Settings Management - Entra ID Synthetic Device actions

## Query Information

### Description

Use the below queries to find events related to MDE Security Settings management. 

#### References

### Sentinel

The below query shows when MDE signals Intune after onbarding/offbaording MDE to create/delete a synthetic device object in Entra ID

```kql
AuditLogs
| where Identity == "Microsoft Intune"
| where OperationName has_any ('Delete device','Add device')
| extend displayName = tostring(TargetResources[0].displayName)
| extend id = tostring(TargetResources[0].id)
| extend DeviceId = tostring(AdditionalDetails[0].value)
```

Explanation

This query looks for events related to Microsoft Defender for Endpoint Security Settings management. It specifically looks for when Intune signals after onboarding or offboarding MDE to create or delete a synthetic device object in Entra ID.

Details

Alex Verboon

Released: June 24, 2024

Tables

AuditLogs

Keywords

AuditLogs,Identity,OperationName,TargetResources,displayName,id,DeviceId,AdditionalDetails,value

Operators

whereextendhas_anytostring

KQL Search

MDE Entra Synthetic Device

Query

Explanation

Details

Actions