Collect Microsoft Intune logs

Supported in:

This document describes how you can collect Microsoft Intune logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AZURE_MDM_INTUNE ingestion label.

Before you begin

To complete the tasks on this page, ensure that you have the following:

  • An Azure subscription that you can sign in to.

  • A Microsoft Intune environment (tenant) in Azure.

  • A global administrator or Intune service administrator role for the Intune tenant.

Configure Microsoft Intune

  1. Sign in to the Microsoft endpoint manager administrator center.
  2. Select Reports > Diagnostics settings.
  3. Enter a name for the diagnostic settings, such as Route audit logs to storage account.
  4. To access the diagnostics settings for the first time, click Turn on diagnostics.
  5. In the Diagnostic setting window, enter an appropriate name and select Audit logs, Operational logs, and Device compliance org.
  6. To store logs in the storage account, do the following:
    1. Select Archive to a storage account.
    2. Select an existing Subscription and Storage account.

To store logs in the storage account, you must have Azure storage credentials. For more information, see Azure storage credentials.

Configure a feed in Google Security Operations to ingest Microsoft Intune logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Third party API as the Source Type.
  5. Select Microsoft Intune as the Log Type.
  6. Click Next.
  7. Configure the following mandatory input parameters:
    • OAuth client ID: specify an OAuth 2.0 client ID.
    • OAuth client secret: specify the secret associated with the client ID.
    • Tenant ID: specify the Microsoft tenant ID.
  8. Click Next, and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operationsfeeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser processes Microsoft MDM logs in JSON format, transforming them into UDM. It extracts fields, handles date formatting, maps specific MDM activities to UDM event types, and enriches the data with additional context like user and device information.

UDM Mapping Table

Log Field UDM Mapping Logic
activityDateTime metadata.event_timestamp The raw log's activityDateTime field is parsed to extract the year, month, day, hour, minute, second, and timezone. These extracted components are then used to construct a timestamp in the UDM.
activityType metadata.product_event_type Directly mapped.
actor.applicationDisplayName principal.application Directly mapped.
actor.userId principal.user.product_object_id Directly mapped.
actor.userPrincipalName principal.user.userid Directly mapped.
category additional.fields[category].value.string_value Directly mapped as a string value within the additional.fields array with the key "category".
displayName target.application Directly mapped. In some cases, further logic within the parser determines the value based on the activityType.
metadata.log_type Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived from activityResult. "Success" maps to "ACTIVE", "Failure" maps to "PENDING_DECOMISSION". If event_type is "USER_RESOURCE_DELETION", it's set to "DECOMISSIONED". Hardcoded to "MICROSOFT_AZURE".
resources.0.modifiedProperties.0.displayName target.asset.software.name In some cases, this field is mapped to target.asset.software.name. Other resources.0.modifiedProperties.N.displayName fields may also be mapped to additional software objects within the target.asset depending on the activityType.
resources.0.modifiedProperties.N.newValue principal.user.attribute.roles.name In some cases, these fields are used to populate role information.
resources.0.modifiedProperties.N.displayName principal.user.attribute.roles.description In some cases, these fields are used to populate role information.
resources.0.resourceId target.resource.id Directly mapped.
resources.0.type target.resource.name Directly mapped.
resources.1.modifiedProperties.N.displayName target.asset.software.name In some cases, this field is mapped to target.asset.software.name.
properties.AADTenantId additional.fields[AADTenantId].value.string_value Directly mapped as a string value within the additional.fields array with the key "AADTenantId".
properties.Actor.Application principal.application Directly mapped.
properties.Actor.UPN principal.user.userid Directly mapped.
properties.BatchId metadata.product_log_id Directly mapped.
properties.ComplianceState additional.fields[ComplianceState].value.string_value Directly mapped as a string value within the additional.fields array with the key "ComplianceState".
properties.DeviceId principal.asset.asset_id, principal.asset_id Mapped with prefix "Device ID:".
properties.DeviceHealthThreatLevel_loc additional.fields[DeviceHealthThreatLevel_loc].value.string_value Directly mapped as a string value within the additional.fields array with the key "DeviceHealthThreatLevel_loc".
properties.DeviceName principal.hostname, principal.asset.hostname Directly mapped.
properties.InGracePeriodUntil additional.fields[InGracePeriodUntil].value.string_value Directly mapped as a string value within the additional.fields array with the key "InGracePeriodUntil".
properties.IntuneAccountId additional.fields[IntuneAccountId].value.string_value Directly mapped as a string value within the additional.fields array with the key "IntuneAccountId".
properties.LastContact additional.fields[LastContact].value.string_value Directly mapped as a string value within the additional.fields array with the key "LastContact".
properties.ManagementAgents additional.fields[ManagementAgents].value.string_value Directly mapped as a string value within the additional.fields array with the key "ManagementAgents".
properties.ManagementAgents_loc additional.fields[ManagementAgents_loc].value.string_value Directly mapped as a string value within the additional.fields array with the key "ManagementAgents_loc".
properties.OS principal.platform Mapped after converting to uppercase. "MACOS" or "MAC" maps to "MAC". "WINDOWS" maps to "WINDOWS". "LINUX" maps to "LINUX".
properties.OSDescription security_result.detection_fields[OSDescription].value Directly mapped as a string value within the security_result.detection_fields array with the key "OSDescription".
properties.OSVersion principal.platform_version Directly mapped.
properties.OS_loc security_result.detection_fields[OS_loc].value Directly mapped as a string value within the security_result.detection_fields array with the key "OS_loc".
properties.RetireAfterDatetime additional.fields[RetireAfterDatetime].value.string_value Directly mapped as a string value within the additional.fields array with the key "RetireAfterDatetime".
properties.SerialNumber principal.asset.hardware.serial_number Directly mapped.
properties.SessionId network.session_id Directly mapped.
properties.UserEmail principal.user.email_addresses Directly mapped.
properties.UserName principal.user.user_display_name Directly mapped.
tenantId additional.fields[tenantId].value.string_value Directly mapped as a string value within the additional.fields array with the key "tenantId".
time metadata.event_timestamp The raw log's time field is parsed to extract the timestamp components. These components are then used to construct a timestamp in the UDM.

Changes

2024-04-10

  • Mapped "properties.Actor.Application" to "principal.application".
  • Mapped "properties.Actor.UPN" to "principal.user.userid".
  • Mapped "operationName" to "metadata.product_event_type".
  • Mapped "identity" to "target.user.email_addresses".
  • Mapped "identity" and "user_id" to "target.user.userid".
  • Mapped "properties.DeviceName" to "principal.hostname" and "principal.asset.hostname".
  • Mapped "properties.UserEmail" to "principal.user.email_addresses".
  • Mapped "properties.SerialNumber" to "_hardware.serial_number".
  • Mapped "_hardware" to "principal.asset.hardware".
  • Mapped "properties.UserName" to "principal.user.user_display_name".
  • Mapped "properties.OS" to "principal.platform".
  • Mapped "properties.OSVersion" to "principal.platform_version".
  • Mapped "properties.DeviceId" to "principal.asset.asset_id" and "principal.asset_id".
  • Mapped "properties.BatchId" to "metadata.product_log_id".
  • Mapped "tenantId", "properties.IntuneAccountId", "properties.AADTenantId", "properties.LastContact", "properties.DeviceHealthThreatLevel_loc", "properties.ComplianceState", "properties.InGracePeriodUntil", "properties.RetireAfterDatetime", "properties.ManagementAgents", and "properties.ManagementAgents_loc" to "additional.fields".
  • Mapped "properties.OS_loc" and "properties.OSDescription" to "security_result.detection_fields".

2022-08-17

  • Added conditional check when "event_type" is mapped to "USER_RESOURCE_UPDATE_CONTENT".
  • Added conditional check for fields "software2","software3","software4" and Mapped it to "target.asset.software".