Microsoft Intune comes with a pre-built reporting platform that contains a wealth of information, such as device management and endpoint analytics. These reports can be useful for troubleshooting, but if you need to troubleshoot or address a security issue, it may already be too late.
To proactively address security concerns, receiving alerts from Microsoft Intune would be helpful. Fortunately, Microsoft Sentinel can be utilized to accomplish this objective.
In this article, we will show you how to Monitor Microsoft Intune with Microsoft Sentinel.
Table of Contents
Introduction
Microsoft Intune is a cloud-based mobile device management (MDM) and enterprise mobility management (EMM) service that allows organizations to manage and secure their employees’ mobile devices and apps. It provides a range of features to help organizations manage and control their mobile devices, including the ability to configure policies, distribute apps, and perform remote actions like wiping a device.
One important feature of Microsoft Intune is its audit log functionality, which allows you to view a detailed record of all actions performed within the Intune service. These audit logs provide valuable insights into who is doing what within the organization, and can help you detect and respond to security threats and policy violations.
Intune audit logs include information on actions such as device enrollments, app installations, policy changes, and user authentication events. They also include details such as the user who did the action, the date and time it occurred, and the IP address of the device or network used to perform the action.
For more information about Microsoft Intune audit logs, please check the official documentation.
Now Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution.
Microsoft Sentinel makes it easy to collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using the power of artificial intelligence and machine learning, Sentinel ensures that real threats are identified quickly and unleashes you from the burden of traditional security incident and event management solutions (SIEMs) by automating setting up, maintaining, and scaling infrastructure.
The good news is that we can connect Microsoft Intune to Microsoft Sentinel and collect our logs to address any security issues.
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days; follow the quick onboarding process. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for 90 days.
4) A Microsoft Intune environment (tenant) in Azure. A user who’s a Global Administrator or Intune Service Administrator for the Intune tenant.
5) To configure the log collection from Microsoft Intune, you need the Log Analytics Contributor role in the Log Analytics Workspace. For more information on the different roles and what they can do, please check how to manage access to Log Analytics workspaces.
Assuming you have all the prerequisites in place, take now the following steps:
Enable Microsoft Intune Diagnostics Settings
First, we need to enable Microsoft Intune Diagnostics Settings; you can follow the easy steps below:
Open the Microsoft Endpoint Manager admin center at (https://endpoint.microsoft.com/) and navigate the menu to Reports, then Diagnostic Settings.
Next, add a new Diagnostic Setting similar to the one below, and ensure that you select the correct Subscription and Log Analytics Workspace for Microsoft Sentinel. The categories that contain data about log types are the following (AuditLogs, OperationalLogs, DeviceComplianceOrg, and Devices). For this example, we will collect only the AuditLogs.
Updated — 03/10/2024 — You can now include and collect “Windows365AuditLogs” for Windows 365 Cloud PC under Intune diagnostics settings. So, you can set up an alert if someone modifies any provisioning policy of Windows 365 because it can significantly impact your Cloud PCs.
For more information about the diagnostics settings for Intune, check the Microsoft documentation.
Use Microsoft Sentinel to Monitor Microsoft Intune
Once the Diagnostic Settings in Microsoft Intune is created, saved, and enabled, as long as there is activity being recorded in your Intune tenant, you will see new data tables got created called: IntuneAuditLogs, IntuneDeviceComplianceOrg, IntuneOperationalLogs, and IntuneDevices.
Those tables will show up in your Log Analytics workspace for Microsoft Sentinel under Logs and then the LogManagement area as shown in the figure below.
Now to get data out of the table, we need to write a query in the Kusto Query Language (KQL).
In this example, we need to audit and be notified if any modification to the Intune configuration is done between 8.00 pm and 7.00 am.
Monitor Intune Policy in Log Analytics
In the audit logs table, you can find properties with specific values such as ActivityType, ActorType, Category, and ActivityResult. And the actions that administrators can take are: Create, Delete, Patch, Action, SetReference, RemoveReference, Get, and Search. For more information, please see the use audit logs throughout Intune.
Now, to determine when a policy was deleted or created and by who, we need to map the Active Type number (0 to 7) to match the following actions:
- ActivityType == 0, “Create”
- ActivityType == 1, “Delete”
- ActivityType == 2, “Patch”
- ActivityType == 3, “Action”
- ActivityType == 4, “SetReference”
- ActivityType == 5, “RemoveReference”
- ActivityType == 6, “Get”
- ActivityType == 7, “Search”
The idea is to be notified that someone has done any of the abovementioned activities. This can be a security baseline profile, a configuration policy, a compliance policy, etc.
The following KQL query will do the job:
IntuneAuditLogs
| extend PropertiesObject = parse_json(Properties)
| extend actorObject = parse_json(PropertiesObject.Actor)
| extend targetsObject = parse_json(PropertiesObject.TargetDisplayNames)
| extend activityString = case(
PropertiesObject.ActivityType == 0, "Create",
PropertiesObject.ActivityType == 1, "Delete",
PropertiesObject.ActivityType == 2, "Patch",
PropertiesObject.ActivityType == 3, "Action",
PropertiesObject.ActivityType == 4, "SetReference",
PropertiesObject.ActivityType == 5, "RemoveReference",
PropertiesObject.ActivityType == 6, "Get",
PropertiesObject.ActivityType == 7, "Search",
"Other"
)
| project TimeGenerated, PolicyName=targetsObject[0], SourceSystem, OperationName, activityString, ResultType, Properties, UPN=actorObject.UPN
| summarize by activityString
Here is another KQL query to monitor Windows 365 Cloud PC operations:
Windows365AuditLogs
| where OperationName contains "CloudPcProvisioningPolicy" or where OperationName contains "CloudPcUserSetting" or where OperationName contains "CloudPcModel" or where OperationName contains "Health check" or where OperationName contains "CloudPcOnpremisesConnection"Create an analytic rule
The next step is to create an Analytic rule in Microsoft Sentinel to detect the action that we want to be notified for.
From within the Analytics page, create a new Scheduled query rule. Give the analytic rule a meaningful ‘Name‘ and ‘Description‘, for example, ‘Microsoft Intune Deleted Policy‘.
Next, select the following 2 ‘Tactics‘ (Execution, and Discovery). Those tactics are based on the MITRE ATT&CK Matrix for Enterprise, then select ‘Medium‘ for the Severity.
Click Next to Set rule logic. In the Set rule logic tab, enter the following KQL query to detect when someone deleted Intune policy between 8:00 pm and 07:00 am.
You can change the outside ‘business hours’ based on your needs, as well as convert UTC Time to your proper Time Zone.
IntuneAuditLogs
| extend utc = TimeGenerated
| extend cet = utc+2h
| extend hour = datetime_part("hour", cet)
| where hour !between (07 .. 20)
| extend PropertiesObject = parse_json(Properties)
| extend actorObject = parse_json(PropertiesObject.Actor)
| extend targetsObject = parse_json(PropertiesObject.TargetDisplayNames)
| extend activityString = case(
PropertiesObject.ActivityType == 0, "Create",
PropertiesObject.ActivityType == 1, "Delete",
PropertiesObject.ActivityType == 2, "Patch",
PropertiesObject.ActivityType == 3, "Action",
PropertiesObject.ActivityType == 4, "SetReference",
PropertiesObject.ActivityType == 5, "RemoveReference",
PropertiesObject.ActivityType == 6, "Get",
PropertiesObject.ActivityType == 7, "Search",
"Other"
)
| project TimeGenerated, PolicyName=targetsObject[0], SourceSystem, OperationName, activityString, ResultType, Properties, UPN=actorObject.UPN
| where activityString == "Delete"Then enrich the alert with the following entities:
-
Entity mapping:
- Account – Name => UPN
-
Custom details:
- ActivityString => activityString
- OperationName => OperationName
- PolicyName => PolicyName
- SourceSystem => SourceSystem
- ResultType => ResultType
For the query scheduling, we need to run the query every 1 hour and look up data from the last 1 day. The alert threshold is greater than 0.
Click Next to configure the Incident settings.
For alert grouping, you can enable group-related alerts, triggered by this analytics rule, into incidents. Keep the default settings: Grouping alerts into a single incident if all the entities match (recommended).
Click Next to configure the Automated response.
In the Automated response tab, under Automation rules, you can add the automated playbook that you’ve created, for example, post a message in the Microsoft Teams Channel, to inform the SOC team members about any operation performed outside of ‘business hours’.
Automation rules can be used to allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed.
Last, click Next to review and create. In the Review and Create page, validate the settings and click Create to start the rule creation process.
Now, if you want to monitor all activity types in a single Analytic Rule instead of creating different rules for each activity type, then you add all Intune activities to the ‘where‘ operator as shown in the example below:
IntuneAuditLogs
| extend utc = TimeGenerated
| extend cet = utc+2h
| extend hour = datetime_part("hour", cet)
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 20)
| extend PropertiesObject = parse_json(Properties)
| extend actorObject = parse_json(PropertiesObject.Actor)
| extend targetsObject = parse_json(PropertiesObject.TargetDisplayNames)
| extend activityString = case(
PropertiesObject.ActivityType == 0, "Create",
PropertiesObject.ActivityType == 1, "Delete",
PropertiesObject.ActivityType == 2, "Patch",
PropertiesObject.ActivityType == 3, "Action",
PropertiesObject.ActivityType == 4, "SetReference",
PropertiesObject.ActivityType == 5, "RemoveReference",
PropertiesObject.ActivityType == 6, "Get",
PropertiesObject.ActivityType == 7, "Search",
"Other"
)
| project TimeGenerated, PolicyName=targetsObject[0], SourceSystem, OperationName, activityString, ResultType, Properties, UPN=actorObject.UPN
| where activityString == "Create" or activityString == "Delete" or activityString == "Patch" or activityString == "Action" or activityString == "SetReference" or activityString == "RemoveReference" or activityString == "Get" or activityString == "Search"That’s it there you have it! You now know how to monitor Microsoft Intune with Microsoft Sentinel.
Microsoft Intune Suite
The new Microsoft Intune Suite announced by Microsoft unifies a series of advanced endpoint management and security capabilities that are integrated with Microsoft 365 and Microsoft Security across endpoint platforms for both cloud and co-managed devices.
The core value areas of the Intune Suite are:
- Unify endpoint management. Bring all endpoint and security management tools into one place, simplifying workflows for IT and security operations (SecOps).
- Strengthen security. Ensure device health and compliance by using Microsoft Security signals and advanced capabilities to mitigate threats and protect corporate data.
- Reduce costs. Do more with less by consolidating vendors with Microsoft for efficient, cost-effective licensing. Improve user productivity and performance across devices.
So, it becomes even more vital to monitor your Intune Suite environment with Sentinel.
Summary
In this article, we showed you how to monitor Microsoft Intune with Microsoft Sentinel to proactively address security issues and receive alerts.
By reviewing Microsoft Intune audit logs regularly, you can gain a better understanding of how your organization is using the Intune service, identify any potential issues or risks, and take appropriate action to mitigate them. In addition, these audit logs can also help organizations meet regulatory compliance requirements by providing a detailed record of all actions taken within the Intune service.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
