I am trying to take the Serial Number from the IntuneDevices table and use the DeviceName of the matching serial number and find the LastLoginTime from the SecurityEventsFiltered and SigninLogsFiltered tables.
let SecurityEventsFiltered =
SecurityEvent
| where EventID == 4624
| where AuthenticationPackageName has_any ('NTLM', 'Negotiate')
| where isnotnull(WorkstationName) and WorkstationName != "-"
| extend LastLoginTime = TimeGenerated;
let SigninLogsFiltered =
SigninLogs
| where isnotnull(DeviceDetail.displayName)
| extend LastLoginTime = TimeGenerated;
union IntuneDevices, SecurityEventsFiltered, SigninLogsFiltered
| where SerialNumber in ({SerialNumber}) or '*' in ({SerialNumber})
| where DeviceName in ({DeviceName}) or WorkstationName in ({DeviceName}) or DeviceDetail.displayName in ({DeviceName}) or '*' in ({DeviceName})
| summarize Details = make_set(pack(SerialNumber, UserName, Model, LastLoginTime)) by DeviceName
| project DeviceName, Details
I am trying to take the Serial Number from the IntuneDevices table and use the DeviceName of the matching serial number and find the LastLoginTime from the SecurityEventsFiltered and SigninLogsFiltered tables. This query that I have is pulling everything fine from the IntuneDevices table, but it is not pulling the LastLoginTime.