Collect Microsoft Intune logs
This document describes how you can collect Microsoft Intune logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the AZURE_MDM_INTUNE
ingestion label.
Before you begin
To complete the tasks on this page, ensure that you have the following:
An Azure subscription that you can sign in to.
A Microsoft Intune environment (tenant) in Azure.
A global administrator or Intune service administrator role for the Intune tenant.
Configure Microsoft Intune
- Sign in to the Microsoft endpoint manager administrator center.
- Select Reports > Diagnostics settings.
- Enter a name for the diagnostic settings, such as
Route audit logs to storage account
. - To access the diagnostics settings for the first time, click Turn on diagnostics.
- In the Diagnostic setting window, enter an appropriate name and select Audit logs, Operational logs, and Device compliance org.
- To store logs in the storage account, do the following:
- Select Archive to a storage account.
- Select an existing Subscription and Storage account.
To store logs in the storage account, you must have Azure storage credentials. For more information, see Azure storage credentials.
Configure a feed in Google Security Operations to ingest Microsoft Intune logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- Enter a unique name for the Field Name.
- Select Third party API as the Source Type.
- Select Microsoft Intune as the Log Type.
- Click Next.
- Configure the following mandatory input parameters:
- OAuth client ID: specify an OAuth 2.0 client ID.
- OAuth client secret: specify the secret associated with the client ID.
- Tenant ID: specify the Microsoft tenant ID.
- Click Next, and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operationsfeeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser processes Microsoft MDM logs in JSON format, transforming them into UDM. It extracts fields, handles date formatting, maps specific MDM activities to UDM event types, and enriches the data with additional context like user and device information.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
activityDateTime |
metadata.event_timestamp |
The raw log's activityDateTime field is parsed to extract the year, month, day, hour, minute, second, and timezone. These extracted components are then used to construct a timestamp in the UDM. |
activityType |
metadata.product_event_type |
Directly mapped. |
actor.applicationDisplayName |
principal.application |
Directly mapped. |
actor.userId |
principal.user.product_object_id |
Directly mapped. |
actor.userPrincipalName |
principal.user.userid |
Directly mapped. |
category |
additional.fields[category].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "category". |
displayName |
target.application |
Directly mapped. In some cases, further logic within the parser determines the value based on the activityType . |
metadata.log_type |
Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived from activityResult . "Success" maps to "ACTIVE", "Failure" maps to "PENDING_DECOMISSION". If event_type is "USER_RESOURCE_DELETION", it's set to "DECOMISSIONED". Hardcoded to "MICROSOFT_AZURE". |
|
resources.0.modifiedProperties.0.displayName |
target.asset.software.name |
In some cases, this field is mapped to target.asset.software.name . Other resources.0.modifiedProperties.N.displayName fields may also be mapped to additional software objects within the target.asset depending on the activityType . |
resources.0.modifiedProperties.N.newValue |
principal.user.attribute.roles.name |
In some cases, these fields are used to populate role information. |
resources.0.modifiedProperties.N.displayName |
principal.user.attribute.roles.description |
In some cases, these fields are used to populate role information. |
resources.0.resourceId |
target.resource.id |
Directly mapped. |
resources.0.type |
target.resource.name |
Directly mapped. |
resources.1.modifiedProperties.N.displayName |
target.asset.software.name |
In some cases, this field is mapped to target.asset.software.name . |
properties.AADTenantId |
additional.fields[AADTenantId].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "AADTenantId". |
properties.Actor.Application |
principal.application |
Directly mapped. |
properties.Actor.UPN |
principal.user.userid |
Directly mapped. |
properties.BatchId |
metadata.product_log_id |
Directly mapped. |
properties.ComplianceState |
additional.fields[ComplianceState].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "ComplianceState". |
properties.DeviceId |
principal.asset.asset_id , principal.asset_id |
Mapped with prefix "Device ID:". |
properties.DeviceHealthThreatLevel_loc |
additional.fields[DeviceHealthThreatLevel_loc].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "DeviceHealthThreatLevel_loc". |
properties.DeviceName |
principal.hostname , principal.asset.hostname |
Directly mapped. |
properties.InGracePeriodUntil |
additional.fields[InGracePeriodUntil].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "InGracePeriodUntil". |
properties.IntuneAccountId |
additional.fields[IntuneAccountId].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "IntuneAccountId". |
properties.LastContact |
additional.fields[LastContact].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "LastContact". |
properties.ManagementAgents |
additional.fields[ManagementAgents].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "ManagementAgents". |
properties.ManagementAgents_loc |
additional.fields[ManagementAgents_loc].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "ManagementAgents_loc". |
properties.OS |
principal.platform |
Mapped after converting to uppercase. "MACOS" or "MAC" maps to "MAC". "WINDOWS" maps to "WINDOWS". "LINUX" maps to "LINUX". |
properties.OSDescription |
security_result.detection_fields[OSDescription].value |
Directly mapped as a string value within the security_result.detection_fields array with the key "OSDescription". |
properties.OSVersion |
principal.platform_version |
Directly mapped. |
properties.OS_loc |
security_result.detection_fields[OS_loc].value |
Directly mapped as a string value within the security_result.detection_fields array with the key "OS_loc". |
properties.RetireAfterDatetime |
additional.fields[RetireAfterDatetime].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "RetireAfterDatetime". |
properties.SerialNumber |
principal.asset.hardware.serial_number |
Directly mapped. |
properties.SessionId |
network.session_id |
Directly mapped. |
properties.UserEmail |
principal.user.email_addresses |
Directly mapped. |
properties.UserName |
principal.user.user_display_name |
Directly mapped. |
tenantId |
additional.fields[tenantId].value.string_value |
Directly mapped as a string value within the additional.fields array with the key "tenantId". |
time |
metadata.event_timestamp |
The raw log's time field is parsed to extract the timestamp components. These components are then used to construct a timestamp in the UDM. |
Changes
2024-04-10
- Mapped "properties.Actor.Application" to "principal.application".
- Mapped "properties.Actor.UPN" to "principal.user.userid".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "identity" to "target.user.email_addresses".
- Mapped "identity" and "user_id" to "target.user.userid".
- Mapped "properties.DeviceName" to "principal.hostname" and "principal.asset.hostname".
- Mapped "properties.UserEmail" to "principal.user.email_addresses".
- Mapped "properties.SerialNumber" to "_hardware.serial_number".
- Mapped "_hardware" to "principal.asset.hardware".
- Mapped "properties.UserName" to "principal.user.user_display_name".
- Mapped "properties.OS" to "principal.platform".
- Mapped "properties.OSVersion" to "principal.platform_version".
- Mapped "properties.DeviceId" to "principal.asset.asset_id" and "principal.asset_id".
- Mapped "properties.BatchId" to "metadata.product_log_id".
- Mapped "tenantId", "properties.IntuneAccountId", "properties.AADTenantId", "properties.LastContact", "properties.DeviceHealthThreatLevel_loc", "properties.ComplianceState", "properties.InGracePeriodUntil", "properties.RetireAfterDatetime", "properties.ManagementAgents", and "properties.ManagementAgents_loc" to "additional.fields".
- Mapped "properties.OS_loc" and "properties.OSDescription" to "security_result.detection_fields".
2022-08-17
- Added conditional check when "event_type" is mapped to "USER_RESOURCE_UPDATE_CONTENT".
- Added conditional check for fields "software2","software3","software4" and Mapped it to "target.asset.software".