Query Details

Microsoft Defender for Endpoint - Security Settings Management - Entra ID Synthetic Device actions

MDE Entra Synthetic Device

Query

AuditLogs
| where Identity == "Microsoft Intune"
| where OperationName has_any ('Delete device','Add device')
| extend displayName = tostring(TargetResources[0].displayName)
| extend id = tostring(TargetResources[0].id)
| extend DeviceId = tostring(AdditionalDetails[0].value)

About this query

Microsoft Defender for Endpoint - Security Settings Management - Entra ID Synthetic Device actions

Query Information

Description

Use the below queries to find events related to MDE Security Settings management.

References

Microsoft Defender XDR

The below query shows when MDE signals Intune after onbarding/offbaording MDE to create/delete a synthetic device object in Entra ID

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs related to Microsoft Defender for Endpoint (MDE) and its interaction with Microsoft Intune for managing security settings. Specifically, it focuses on events where MDE signals Intune to either create or delete a synthetic device object in Entra ID (formerly known as Azure Active Directory).

Here's a simple breakdown of what the query does:

  1. Data Source: It queries the AuditLogs table, which contains logs of various operations and activities.

  2. Filter by Identity: The query filters the logs to only include those where the Identity is "Microsoft Intune". This means it is looking for actions performed by Microsoft Intune.

  3. Filter by Operation: It further filters the logs to find operations that involve either adding or deleting a device. This is done by checking if the OperationName contains the phrases 'Delete device' or 'Add device'.

  4. Extract Information:

    • It extracts the displayName of the target resource (the device) involved in the operation.
    • It extracts the id of the target resource.
    • It extracts the DeviceId from additional details provided in the logs.

In summary, this query helps identify and extract details about when Microsoft Defender for Endpoint communicates with Intune to manage synthetic device objects in Entra ID, specifically focusing on the creation and deletion of these devices.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AuditLogs

Keywords

AuditLogsIdentityOperationNameTargetResourcesAdditionalDetailsDeviceEntraIDMicrosoftIntune

Operators

|wherehas_anyextendtostring

Actions

GitHub