KQL Search

Query Details

Count Devices Based On Osversion

Query

# Count devices based on OS version information

## Description

The following queries counts the devices onboard MDE based on the OS version information.

### Microsoft 365 Defender
```
DeviceInfo
// Define timerange below
| where Timestamp > ago(90d)
| summarize arg_max(Timestamp, *) by DeviceName
| summarize DeviceCount = dcount(DeviceName) by OSVersionInfo
| sort by DeviceCount asc 
```
### Microsoft Sentinel
```
DeviceInfo
// Define timerange below
| where TimeGenerated > ago(90d)
| summarize arg_max(Timestamp, *) by DeviceName
| summarize DeviceCount = dcount(DeviceName) by OSVersionInfo
| sort by DeviceCount asc 
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 26/07/2022    | Initial publish                        |
| 1.1           | 20/05/2023    | Transformed to template, minor changes |

Explanation

This query counts the number of devices onboard Microsoft 365 Defender or Microsoft Sentinel based on their operating system (OS) version information. It retrieves the device information within a specified time range, groups the devices by their OS version, and then calculates the count of unique devices for each OS version. The results are sorted in ascending order based on the device count.

Details

Michalis Michalos

Released: August 14, 2023

Tables

DeviceInfo

Keywords

Devices,Intune,User,OSVersionInfo

Operators

| wheresummarizearg_maxbydcountsortasc

KQL Search

Count Devices Based On Osversion

Query

Explanation

Details

Actions