Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

Secure Working from Home – Deep Insights at Enrolled MEM Assets via Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 1, 2020
in Security Operations
0
Microsoft is quietly becoming a cybersecurity powerhouse
4.7kViews
708 Shares Share on Facebook Share on Twitter

One of the key requirements is to have a complete visibility / insight into the MEM – Intune enrolled devices activities & logs, and hence Azure Sentinel is the key to overcome such challenge / requirement:

  • Audit Logs – shows a record of activities that generate a change in MEM, including create, update (edit), delete, assign, and remote actions.
  • Operational Logs – show details on users and devices that successfully (or failed) to enroll, and details on non-compliant devices.
  • Device Compliance Organizational Logs – show an organizational report for device compliance in Intune, and details on non-compliant devices.

Pre-Requisites & Ingestion Flow>

  • An Azure subscription: Azure Sentinel Log Analytics Workspace
  • A Microsoft Endpoint Manager (MEM) environment (tenant) in Azure
  • A user who’s a Global Administrator or Intune Service Administrator for the Intune tenant.
Pic2.png
Pic3.png

ENABLE Microsoft Endpoint Manager (MEM) DIAGNOSTICS Settings

  1. Sign in to the Azure portal http://portal.azure.com
  2. Ensure that Microsoft.Intune is registered under your subscription before enabling Microsoft Endpoint Manager Diagnostic Settings
  3. Search for Subscriptions, then select your subscription, under settings click on “Resource Providers”, then register “Microsoft Intune”, ensure that status is “Registered” green, might take time to reflect Pic4.png
  4. Sign in to Microsoft Endpoint Manager center http://endpoint.microsoft.com
  5. Tenant administration > Diagnostic settings > “+ Add diagnostic setting” pic5.png
  6. Give the new diagnostic settings a name (e.g: MEMLogs-AzureSentinel), select Send to Log Analytics, and then scroll down.
  7. Select your Azure subscription, the name of the Azure Sentinel Log Analytics Workspace you want to send MEM diagnostic logs to, and all the available MEM log options then click Save. Pic6.png
  8. Click Refresh back on the Diagnostic settings screen and you should now see the newly created diagnostics settings pointing to your Azure Sentinel Log Analytics-Workspace. Pic7.png
  9. To see the logs in the Azure Sentinel Log Analytics Workspace, sign into the Azure portal, search for Azure Sentineland then select the workspace containing MEM diagnostics logs that you just set up.
  10. Under General, select Logs, then group by Solution and under LogManagement you will be able to find MEM Logs tables:
Pic8.png

Use Cases:

Couple of useful use- cases to query MEM Logs,

  • Have an overview of all MEM operations completed within a specific time frame. Events that we are particularly interested in are failed sync, delete or wipe operations. For these types of events, we want to be alerted whenever these audit events are triggered, so that we ensure they are expected events. Here is how we have configured alerts using Azure Sentinel Query Logs Alert. Taking the event of “syncDevice ManagedDevice”, we have defined the following query in our Azure Sentinel Log Analytics workspace: 
//Count and Summarize MEM Operations
IntuneAuditLogs 
| summarize count() by OperationName
Pic9.png
IntuneAuditLogs 
| where OperationName == " syncDevice ManagedDevice" and ResultType == "Success"
Pic10.png
  • Another use case if we want to query the recent MEM operations by specific identity accounts:
IntuneAuditLogs 
| top 10 by TimeGenerated
| project Identity, OperationName
Pic11.png

CREATE MEM Azure Sentinel Workbooks

Now that MEM logs data is being made available to query with Azure Sentinel Log Analytics Workspace, we can make some interesting visualizations workbooks and even alerts based on the data.

Here’s a step by step guide to create a new Azure Sentinel Workbook to audit MEM events and operations.

  • Under Azure Sentinel “Threat Management” section click at Workbooks and > + Add workbook, or another way is to go to your Azure Sentinel Log Analytics Workspace and click on Workbooks to select from a ready-made template.
Pic12.png
Pic13.png
  • Click at “Edit” button and add a new query item or select a template e.g: “Donut & List”
Pic15.png
  • Add query item and use the below sample, then unleash the power and build your own visualized workbooks :smiling_face_with_smiling_eyes:
IntuneAuditLogs |summarize Auditevents = count() by OperationName | sort by Auditevents
Pic16.png

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/secure-working-from-home-deep-insights-at-enrolled-mem-assets/ba-p/1424255

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Protecting MSSP’s Intellectual Property in Azure Sentinel

Vectra AI and Microsoft partner on security integration

Making your Azure Sentinel Workbooks multi-tenant (or multi-workspace)

CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

Integrating open source threat feeds with MISP and Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Expanding Microsoft Teams Log Data in Azure Sentinel

Expanding Microsoft Teams Log Data in Azure Sentinel

4 months ago
How to use Microsoft Sysmon, Azure Sentinel to log security events

How to use Microsoft Sysmon, Azure Sentinel to log security events

4 months ago

Microsoft partners with the telecommunications industry to roll out 5G and more

4 months ago
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Microsoft unveils new DLP, ‘Double Key Encryption’ offerings

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Azure Sentinel Notebooks Loses It’s Preview Tag

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by Azure Sentinel News Editor
March 5, 2021
0

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it...

Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021
  • How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository March 3, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News