Digging Deeper into Intune and Azure Sentinel

Last week I finally found some time to start digging into managing security for Intune-enrolled devices with Azure Sentinel. Obviously, the first thing that had to be done was to connect Intune data to Azure Sentinel. Read about how to do that here: Connecting Intune to Azure Sentinel.

The next step was to ensure that my enrolled devices were showing up in the ingested data. I currently have both Windows and Android devices showing up in Azure Sentinel.

One of the things I’m really interested in is to see if the new Microsoft Defender ATP for Android will deliver some actionable and query-able data. Stay tuned.

Now with Intune data flowing in, I’ve been able to surmise the following tables contain the data I’ve been hunting for:

AuditLogs
IntuneAuditLogs
IntuneOperationalLogs
IntuneDeviceComplianceOrg
SigninLogs
SecurityEvent

I’ve started putting together some quick KQL queries to sort through and make sense of the data. In a lot of cases, currently, there’s going to need to be some significant parsing, i.e., a lot of data is shoved into a ‘Properties’ field like is done for a custom log ingestion. I’ll be working on a parsing query that can be saved as a Function, so look for that.

I’ve not had an enormous amount of time to continue digging into the Intune/Azure Sentinel puzzle (though I really, desperately want to and will continue as I have time), but I did want to at least post about my progress and findings to hopefully spur some of you to continue the trek. Use your creativity to help build some Hunting queries and Analytics Rules.

I’ve started putting my own quick creations in my GitHub repository. Just search the page for “Intune”:

https://github.com/rod-trent/SentinelKQL

There’s a few there already: