We have some deeper integration coming for all endpoints in the future for Azure Sentinel through the standard ATP, DATP, and etc. connectors, but for now you can connect your Intune/Endpoint Manager tenant to Azure Sentinel pretty easily to get started sifting through the available data. It takes less than a few minutes to set it up and see a new Intune data table show up in Azure Sentinel.
How to do it…
Open the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) and navigate the menu to Reports, then Diagnostic Settings.
Create a new Diagnostic Setting similar to the following but ensure that your own Subscription and Log Analytics Workspace (for Azure Sentinel) is selected. Also, make sure to select all log types (AuditLogs, OperationalLogs, and DeviceComplianceOrg).
Once the Diagnostic Setting is created, saved, and enabled, as long as there is activity being recorded in the Intune tenant new data tables called IntuneAuditLogs, IntuneDeviceComplianceOrg, and IntuneOperationalLogs will show up in the list in Azure Sentinel under the LogManagement area.
The number of typed columns are few, unfortunately, but there’s still good data to glean. Stay tuned. I’m collaborating with some colleagues to build knowledge around generating valuable Analytics Rules and I’ll provide more information here in the near future.
For today’s P.S.: I’ve also placed a few Intune-specific Workbooks for Azure Sentinel in my GitHub repository. Feel free to import them, use them, make modifications, etc., etc.