Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home KQL

Digging Deeper into Intune and Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 30, 2020
in KQL
0
RiskIQ Joins Microsoft Intelligent Security Association
4.7kViews
776 Shares Share on Facebook Share on Twitter

Last week I finally found some time to start digging into managing security for Intune-enrolled devices with Azure Sentinel. Obviously, the first thing that had to be done was to connect Intune data to Azure Sentinel. Read about how to do that here: Connecting Intune to Azure Sentinel.

The next step was to ensure that my enrolled devices were showing up in the ingested data. I currently have both Windows and Android devices showing up in Azure Sentinel.

Android is “in the house!”

One of the things I’m really interested in is to see if the new Microsoft Defender ATP for Android will deliver some actionable and query-able data. Stay tuned.

Now with Intune data flowing in, I’ve been able to surmise the following tables contain the data I’ve been hunting for:

  • AuditLogs
  • IntuneAuditLogs
  • IntuneOperationalLogs
  • IntuneDeviceComplianceOrg
  • SigninLogs
  • SecurityEvent

I’ve started putting together some quick KQL queries to sort through and make sense of the data. In a lot of cases, currently, there’s going to need to be some significant parsing, i.e., a lot of data is shoved into a ‘Properties’ field like is done for a custom log ingestion. I’ll be working on a parsing query that can be saved as a Function, so look for that.

I’ve not had an enormous amount of time to continue digging into the Intune/Azure Sentinel puzzle (though I really, desperately want to and will continue as I have time), but I did want to at least post about my progress and findings to hopefully spur some of you to continue the trek. Use your creativity to help build some Hunting queries and Analytics Rules.

I’ve started putting my own quick creations in my GitHub repository. Just search the page for “Intune”:

https://github.com/rod-trent/SentinelKQL

There’s a few there already:

Here’s an example to get the juices flowing. This one identifies those Intune-enrolled devices no in compliance:

IntuneDeviceComplianceOrg
| where ComplianceState <> “Compliant” and isnotempty(ComplianceState)

Have fun! Let me know what you come up with on Twitter: @rodtrent

Reference: https://azurecloudai.blog/2020/07/10/digging-deeper-into-intune-and-azure-sentinel/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
KQL

New Azure Sentinel Learning Modules Released

February 1, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Connect the New Intune Devices Log Azure Sentinel

January 26, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Create a Backup Notification in the Event an Unauthorized User Accesses Azure Sentinel

January 11, 2021
Next Post
Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel

Azure Sentinel Rare Occurrences Incidents Generated After Setup

Enriching Windows Security Events with Parameterized Function

New Private Preview Tag in Azure Sentinel

ForgeRock integrates with Microsoft, Auth0 launches marketplace to secure enterprise digital identity

Shortcut Way to Enable Azure Sentinel Analytics Rules

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

5 months ago
Alcide Joins Microsoft Intelligent Security Association (MISA) and integrates their Kubernetes security, Alcide kAudit, with Microsoft Azure Sentinel

Alcide Joins Microsoft Intelligent Security Association (MISA) and integrates their Kubernetes security, Alcide kAudit, with Microsoft Azure Sentinel

4 months ago
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

2 weeks ago
Microsoft Windows Virtual Desktop: A cheat sheet

Microsoft Windows Virtual Desktop: A cheat sheet

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News