"Who wiped that device?" Simple question, complicated answer.
If we know exactly when the wipe was issued, it's easy - the Intune audit logs are sorted by timestamp and we can just find the one that matches our when. But it can often be several hours (or more) between the action being executed and the result being noticed - user's out to lunch, device is sleeping, it happened on a Friday, Intune is slow, etc. And you probably have a team of techs that wipe devices all day long as part of their normal duties, so your recent wipe (or "Fresh Start" - aka cleanWindowsDevice) events are going to be filled with noise. So, what can be done to narrow this down?
Note: If you just want to "skip to the good part", there's a script at the bottom of this post that can be used to just grab the answer you're looking for.
Graph's auditEvents and their limitations
Let's take a look at some of the auditEvents for the "wipe" and "cleanWindowsDevice" actions to see what fields we can search on:
Cool, so now we've got some example events and we know what properties those events contain. It looks like .Actor - that's the who - and .Resources - the what - are going to be the most important to us. .Actor contained userPrincipalName, which is good enough for me, but .Resources didn't really tell us a whole lot about the what other than the ResourceId. So let's search for that ResourceId:
Hmm... no results. That's weird.
What happens to the managedDevice object when you fresh start or wipe a device from Intune?
It gets deleted from Intune and the ResourceId doesn't exist anymore. Of course! So how do we find out which device was wiped? I don't keep track of all of my devices' ResourceIds, do you?
The Intune Data Warehouse
The Intune Data Warehouse is a historical record of your Intune tenant - every user, every device (and more) - that is refreshed every day. That testing device you set up three years ago that is long, long gone? It's in there. The Data Warehouse has that device's total RAM, information about which user enrolled that device, and what that device's resourceId was. And regarding the devices that were wiped / fresh started, they're in there, too - so we'll need to use it in order to figure out exactly what device was once known as b7dd1fa2-d9e6-41f9-a4cc-750079d0d4b0.
The data comes to us in an OData feed, which is great, but Microsoft's examples for connecting to the Warehouse come in the form of a C# program that requires getting a token for an Application Registration using a plaintext password or using Power BI for interactive searching. Power BI is nice and all - and I've used it to explore the Data Warehouse, for sure - but I don't want to have to open it up every time I need to cross-reference something.
So, let's get connected to the Data Warehouse and do some exploring:
Cool. So now we have a way to get our historical devices from the Data Warehouse in PowerShell - no application registration required (though your account will need permissions to the DW, of course). The Invoke-RestMethod will only return the first 10,000 rows - and unfortunately the only way to filter returned results before they're sent to us by the endpoint is by the timestamp of when the row was last modified (likely multitudes cheaper for Microsoft to not support a bunch of filter parameters there) - so we'll have to do some paging to go through all the results. No problem.
Putting it all together
We've covered how to explore Intune audit events to get information about who did what action when, and we've also talked about connecting to the Intune Data Warehouse to get information about all of our devices. So let's go back to the question we're trying to answer:
"Who wiped that device?"
I know what device was wiped, but not who wiped it. So let's make a PowerShell script that will show us all the recent auditEvents for a given deviceName[1]. The script will search the Data Warehouse for deviceIds belonging to that deviceName, and then we'll look for those deviceIds within the auditEvents to tell us who took the action.
Conclusion
So there you have it; now you can search auditEvents by information that is usually a little easier to come by for the times when you need to answer those kinds of questions. Hopefully this has been helpful for you, cheers!
Footnotes
Intune can create multiple deviceIds for any given serialNumber (after wipes / re-enrolls, etc), and it looks like the serialNumber is not always present in the Data Warehouse for isDeleted=$true devices, unfortunately. So we'll have to search by Device Name in this use case. You can certainly search for serialNumber, but you aren't likely to return any events for the device objects that have already been removed from Intune (via wipe / fresh start / etc). If you know more about why serialNumbers aren't always in the DW, drop me a line!
Searching Intune Audit Events by Device Name
Using PowerShell and the Intune Data Warehouse to search for Intune auditEvents by deviceName