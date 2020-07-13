As you start to connect your Intune/Endpoint Manager logs to Azure Sentinel, you may see right away that there’s a DeviceType column exposed that looks valuable but the results show ID numbers instead of just device names. This DeviceType column is directly related to the DeviceTypeID for Intune device entities.

As an example, the following simple KQL query queries the IntuneDeviceComplianceOrg table that is generated due to following the instructions for connecting Intune/Endpoint Manager to your Azure Sentinel Log Analytics workspace.

IntuneDeviceComplianceOrg | where TimeGenerated > ago(3d) | where isnotempty(DeviceName) | distinct DeviceName, DeviceType, SerialNumber

The results look like the following:

Querying the IntuneDeviceComplianceOrg table in Azure Sentinel

Notice that the DeviceType column shows a code for the actual device name. The codes are officially and permanently located at the following link: DeviceTypes

Always use the location in our Docs platform for the most current information, but, here’s a copy of that to get a quick look at what the DeviceType column provides:

deviceTypeID Name Description 0 Desktop Windows Desktop device 1 WindowsRT WindowsRT device 2 WinMO6 Windows Mobile 6.0 device 3 Nokia Nokia device 4 WindowsPhone Windows Phone device 5 Mac Mac device 6 WinCE Windows CE device 7 WinEmbedded Windows Embedded device 8 IPhone iPhone device 9 IPad iPad device 10 IPod iPod device 11 Android Android device-managed using Device Administrator 12 ISocConsumer iSoc Consumer device 14 MacMDM Mac OS X device managed with the built-in MDM agent 15 HoloLens HoloLens device 16 SurfaceHub Surface Hub device 17 AndroidForWork Android device-managed using Android Profile Owner 100 Blackberry Blackberry Device 101 Palm Palm device 255 Unknown Unknown device type Intune DeviceTypeID’s

So, now, for example, you can use KQL to identify only AndroidForWork devices by using the following KQL query:

IntuneDeviceComplianceOrg | where TimeGenerated > ago(3d) | where isnotempty(DeviceName) | where DeviceType == "17" | distinct DeviceName, DeviceType, SerialNumber

Authors Rod Trent