One of the key requirements is to have a complete visibility / insight into the MEM – Intune enrolled devices activities & logs, and hence Azure Sentinel is the key to overcome such challenge / requirement:
- Audit Logs – shows a record of activities that generate a change in MEM, including create, update (edit), delete, assign, and remote actions.
- Operational Logs – show details on users and devices that successfully (or failed) to enroll, and details on non-compliant devices.
- Device Compliance Organizational Logs – show an organizational report for device compliance in Intune, and details on non-compliant devices.
Pre-Requisites & Ingestion Flow>
- An Azure subscription: Azure Sentinel Log Analytics Workspace
- A Microsoft Endpoint Manager (MEM) environment (tenant) in Azure
- A user who’s a Global Administrator or Intune Service Administrator for the Intune tenant.
ENABLE Microsoft Endpoint Manager (MEM) DIAGNOSTICS Settings
- Sign in to the Azure portal http://portal.azure.com
- Ensure that Microsoft.Intune is registered under your subscription before enabling Microsoft Endpoint Manager Diagnostic Settings
- Search for Subscriptions, then select your subscription, under settings click on “Resource Providers”, then register “Microsoft Intune”, ensure that status is “Registered” green, might take time to reflect
- Sign in to Microsoft Endpoint Manager center http://endpoint.microsoft.com
- Tenant administration > Diagnostic settings > “+ Add diagnostic setting”
- Give the new diagnostic settings a name (e.g: MEMLogs-AzureSentinel), select Send to Log Analytics, and then scroll down.
- Select your Azure subscription, the name of the Azure Sentinel Log Analytics Workspace you want to send MEM diagnostic logs to, and all the available MEM log options then click Save.
- Click Refresh back on the Diagnostic settings screen and you should now see the newly created diagnostics settings pointing to your Azure Sentinel Log Analytics-Workspace.
- To see the logs in the Azure Sentinel Log Analytics Workspace, sign into the Azure portal, search for Azure Sentineland then select the workspace containing MEM diagnostics logs that you just set up.
- Under General, select Logs, then group by Solution and under LogManagement you will be able to find MEM Logs tables:
Couple of useful use- cases to query MEM Logs,
- Have an overview of all MEM operations completed within a specific time frame. Events that we are particularly interested in are failed sync, delete or wipe operations. For these types of events, we want to be alerted whenever these audit events are triggered, so that we ensure they are expected events. Here is how we have configured alerts using Azure Sentinel Query Logs Alert. Taking the event of “syncDevice ManagedDevice”, we have defined the following query in our Azure Sentinel Log Analytics workspace:
//Count and Summarize MEM Operations IntuneAuditLogs | summarize count() by OperationName
IntuneAuditLogs | where OperationName == " syncDevice ManagedDevice" and ResultType == "Success"
- Another use case if we want to query the recent MEM operations by specific identity accounts:
IntuneAuditLogs | top 10 by TimeGenerated | project Identity, OperationName
CREATE MEM Azure Sentinel Workbooks
Now that MEM logs data is being made available to query with Azure Sentinel Log Analytics Workspace, we can make some interesting visualizations workbooks and even alerts based on the data.
Here’s a step by step guide to create a new Azure Sentinel Workbook to audit MEM events and operations.
- Under Azure Sentinel “Threat Management” section click at Workbooks and > + Add workbook, or another way is to go to your Azure Sentinel Log Analytics Workspace and click on Workbooks to select from a ready-made template.
- Click at “Edit” button and add a new query item or select a template e.g: “Donut & List”
- Add query item and use the below sample, then unleash the power and build your own visualized workbooks :smiling_face_with_smiling_eyes:
IntuneAuditLogs |summarize Auditevents = count() by OperationName | sort by Auditevents