As you start to connect your Intune/Endpoint Manager logs to Azure Sentinel, you may see right away that there’s a DeviceType column exposed that looks valuable but the results show ID numbers instead of just device names. This DeviceType column is directly related to the DeviceTypeID for Intune device entities.
As an example, the following simple KQL query queries the IntuneDeviceComplianceOrg table that is generated due to following the instructions for connecting Intune/Endpoint Manager to your Azure Sentinel Log Analytics workspace.
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(3d)
| where isnotempty(DeviceName)
| distinct DeviceName, DeviceType, SerialNumberThe results look like the following:
Notice that the DeviceType column shows a code for the actual device name. The codes are officially and permanently located at the following link: DeviceTypes
Always use the location in our Docs platform for the most current information, but, here’s a copy of that to get a quick look at what the DeviceType column provides:
| deviceTypeID | Name | Description |
|---|---|---|
| 0 | Desktop | Windows Desktop device |
| 1 | WindowsRT | WindowsRT device |
| 2 | WinMO6 | Windows Mobile 6.0 device |
| 3 | Nokia | Nokia device |
| 4 | WindowsPhone | Windows Phone device |
| 5 | Mac | Mac device |
| 6 | WinCE | Windows CE device |
| 7 | WinEmbedded | Windows Embedded device |
| 8 | IPhone | iPhone device |
| 9 | IPad | iPad device |
| 10 | IPod | iPod device |
| 11 | Android | Android device-managed using Device Administrator |
| 12 | ISocConsumer | iSoc Consumer device |
| 14 | MacMDM | Mac OS X device managed with the built-in MDM agent |
| 15 | HoloLens | HoloLens device |
| 16 | SurfaceHub | Surface Hub device |
| 17 | AndroidForWork | Android device-managed using Android Profile Owner |
| 100 | Blackberry | Blackberry Device |
| 101 | Palm | Palm device |
| 255 | Unknown | Unknown device type |
So, now, for example, you can use KQL to identify only AndroidForWork devices by using the following KQL query:
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(3d)
| where isnotempty(DeviceName)
| where DeviceType == "17"
| distinct DeviceName, DeviceType, SerialNumberP.S. I’ve also now included this information in an Azure Sentinel workbook so you can have the information handy: https://github.com/rod-trent/SentinelWorkbooks/blob/master/Intune-EndpointMgrDeviceIDReference.json
One thought on “Intune DeviceType Reference for Azure Sentinel KQL”
You must log in to post a comment.