This document explains how to ingest Microsoft Intune logs to
Google Security Operations using API or Blob Storage. The parser processes the logs,
transforming them into a Unified Data Model (UDM). It extracts fields, maps them
to UDM attributes, handles various activity types (Create, Delete, Patch, Action),
and enriches the data with additional context like device information,
user details, and security results. It also performs specific logic for
"Reprovision CloudPCModel" operations and handles different identity scenarios.
Before you begin
Make sure you have the following prerequisites:
Google SecOps instance
Active Azure tenant
Privileged access to Azure
Privileged access to Microsoft Intune
Configure log ingestion using Azure Storage
This section outlines the process of configuring log ingestion from Azure
Storage, enabling you to effectively collect and analyze logs from Microsoft Intune.
Configure the Azure Storage Account
In the Azure console, search for Storage accounts.
Click Create.
Specify values for the following input parameters:
Subscription: select the subscription.
Resource Group: select the resource group.
Region: select the region.
Performance: select the chosen performance (Standard recommended).
Redundancy: select the chosen redundancy (GRS or LRS recommended).
Storage account name: enter a name for the new Storage account.
Click Review + create.
Review the overview of the account and click Create.
From the Storage Account Overview page, select submenu Access keys in Security + networking.
Click Show next to key1 or key2.
Click Copy to clipboard to copy the key.
Save the key in a secure location for future reference.
From the Storage Account Overview page, select submenu Endpoints in Settings.
Click Copy to clipboard to copy the Blob service endpoint URL, (for example, https://<storageaccountname>.blob.core.windows.net).
Save the endpoint URL in a secure location for future reference.
The value of properties.AADTenantId from the raw log is mapped to this UDM field. A label with key "AADTenantId" is created.
activityDateTime
event.idm.read_only_udm.metadata.event_timestamp
The activityDateTime field is parsed to extract year, month, day, hour, minute, second, and timezone. These extracted fields are used to construct the event_timestamp.
The value of category from the raw log is mapped to this UDM field. A label with key "category" is created.
event.idm.read_only_udm.metadata.event_type
Derived by the parser based on the activityOperationType and other fields. Possible values include USER_RESOURCE_UPDATE_CONTENT, USER_RESOURCE_DELETION, USER_RESOURCE_CREATION, USER_UNCATEGORIZED, STATUS_UPDATE, and GENERIC_EVENT. Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived. The value is set to "Device ID:" concatenated with the value of properties.DeviceId. The value of properties.SerialNumber from the raw log is mapped to this UDM field. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including DeviceManagementAPIName, software1_name, software2.name, software3.name, and software4.name. Multiple software entries can be created. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on the properties.OS field. Possible values are "WINDOWS", "LINUX", and "MAC". The value of properties.OSVersion from the raw log is mapped to this UDM field. The value of the displayName field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of the newValue field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of properties.UserEmail or user_identity or ident.UPN.0.Identity from the raw log is mapped to this UDM field. The value of properties.UserName from the raw log is mapped to this UDM field. The key can be OS_loc or OSDescription. The value of properties.OS_loc or properties.OSDescription from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.displayName and activityType. Derived by the parser based on the activityResult and event_type fields. Possible values include ACTIVE, PENDING_DECOMISSION, DECOMISSIONED, and DEPLOYMENT_STATUS_UNSPECIFIED. Hardcoded to "MICROSOFT_AZURE". The value of resources.0.resourceId from the raw log is mapped to this UDM field. The value of resources.0.type from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.type and activityType. Possible values include DEVICE, ACCESS_POLICY, and TASK. The value of upn_identity from the raw log is mapped to this UDM field. The value of user_identity or user_id from the raw log is mapped to this UDM field.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document details the process of collecting Microsoft Intune logs within Google Security Operations by configuring a dedicated feed using the \u003ccode\u003eAZURE_MDM_INTUNE\u003c/code\u003e ingestion label.\u003c/p\u003e\n"],["\u003cp\u003eSetting up the feed requires specific Microsoft Azure credentials, including an OAuth client ID, OAuth client secret, and the tenant ID, along with configuring the diagnostic settings within the Microsoft endpoint manager.\u003c/p\u003e\n"],["\u003cp\u003eMicrosoft Intune log data is transformed into a structured UDM format upon ingestion, and this process involves mapping various log fields such as \u003ccode\u003eactivityDateTime\u003c/code\u003e, \u003ccode\u003eactivityType\u003c/code\u003e, and \u003ccode\u003eresources.0.resourceId\u003c/code\u003e to their corresponding UDM fields.\u003c/p\u003e\n"],["\u003cp\u003eThe document provides a comprehensive UDM Mapping Table, showcasing how different Microsoft Intune log fields are normalized into UDM fields, alongside the logic applied during the parsing process, ensuring a standardized representation of log data.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines important prerequisites to get started such as having an active Azure Subscription, an active Intune tenant, and having a global administrator role on that tenant.\u003c/p\u003e\n"]]],[],null,["# Collect Microsoft Azure MDM (Mobile Device Management) Intune logs\n==================================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Microsoft Intune logs to\nGoogle Security Operations using API or Blob Storage. The parser processes the logs,\ntransforming them into a Unified Data Model (UDM). It extracts fields, maps them\nto UDM attributes, handles various activity types (Create, Delete, Patch, Action),\nand enriches the data with additional context like device information,\nuser details, and security results. It also performs specific logic for\n\"Reprovision CloudPCModel\" operations and handles different identity scenarios.\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- Active Azure tenant\n- Privileged access to Azure\n- Privileged access to Microsoft Intune\n\nConfigure log ingestion using Azure Storage\n-------------------------------------------\n\nThis section outlines the process of configuring log ingestion from Azure\nStorage, enabling you to effectively collect and analyze logs from Microsoft Intune.\n\n### Configure the Azure Storage Account\n\n1. In the Azure console, search for Storage accounts.\n2. Click **Create**.\n3. Specify values for the following input parameters:\n - **Subscription**: select the subscription.\n - **Resource Group**: select the resource group.\n - **Region**: select the region.\n - **Performance**: select the chosen performance (Standard recommended).\n - **Redundancy**: select the chosen redundancy (GRS or LRS recommended).\n - **Storage account name**: enter a name for the new Storage account.\n4. Click **Review + create**.\n5. Review the overview of the account and click **Create**.\n6. From the **Storage Account Overview** page, select submenu **Access keys** in **Security + networking**.\n7. Click **Show** next to **key1** or **key2**.\n8. Click **Copy to clipboard** to copy the key.\n9. Save the key in a secure location for future reference.\n10. From the **Storage Account Overview** page, select submenu **Endpoints** in **Settings**.\n11. Click **Copy to clipboard** to copy the **Blob service** endpoint URL, (for example, `https://\u003cstorageaccountname\u003e.blob.core.windows.net`).\n12. Save the endpoint URL in a secure location for future reference.\n\n### Configure Log Export for Microsoft Intune Logs\n\n1. Sign in to the [**Microsoft Intune**](/chronicle/docs/ingestion/default-parsers/intune.microsoft.com) web UI.\n2. Go to **Reports \\\u003e Diagnostic settings**.\n3. Click **+ Add diagnostic setting**.\n4. Provide the following configuration details:\n - **Diagnostic setting name** : Enter a descriptive name (for example, `Intune logs to Google SecOps`)\n - Select the diagnostic settings for `AuditLogs`, `OperationalLogs`, `DeviceComplianceOrg` and `Devices`.\n - Select the **Archive to a storage account** checkbox as the destination.\n - Specify the **Subscription** and **Storage Account**.\n5. Click **Save**.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed (for example, `Azure Storage Audit Logs`).\n5. Select **Microsoft Azure Blob Storage V2** as the **Source type**.\n6. Select Azure Storage Audit as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n\n - **Azure uri**: the blob endpoint URL.\n\n `ENDPOINT_URL/BLOB_NAME`\n\n Replace the following:\n - `ENDPOINT_URL`: the blob endpoint URL. (`https://\u003cstorageaccountname\u003e.blob.core.windows.net`)\n - `BLOB_NAME`: the name of the blob. (such as, `\u003clogname\u003e-logs`)\n - **Source deletion options**: select deletion option according to your preference.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account. \\* **Maximum File Age** : Includes files modified in the last number of days. Default is 180 days. \\* **Shared key**: the access key to the Azure Blob Storage.\n9. Click **Next**.\n\n10. Review your new feed configuration in the **Finalize** screen, and then click **Submit**.\n\nConfigure log ingestion using API\n---------------------------------\n\nThis section details the initial steps for setting up an application\nwithin Azure Active Directory to enable API-based log ingestion.\n\n### Configure an App on Azure AD\n\n1. Sign in to the **Azure Portal**.\n2. Optional: If you have access to multiple tenants, use the **Directories + subscriptions** in the top menu to switch to the correct tenant.\n3. Search for and select **Azure Active Directory**.\n4. Go to **Manage \\\u003e App registrations \\\u003e New registration**.\n5. Provide the following configuration details:\n - Enter a **Display Name** for the application.\n - Specify who can access the application.\n - Optional: Don't enter anything for **Redirect URI**.\n - Click **Register**.\n6. Copy and Save the **Application (client) ID** and **Directory (tenant) ID** from the **Overview** screen.\n\n### Configure Client Secret\n\n1. In **App Registrations**, select your new application.\n2. Go to **Manage \\\u003e Certificates \\& secrets \\\u003e Client secrets \\\u003e New client secret**.\n3. Add a **name** for your client secret.\n4. Add an **expiration** period of **2 Years** for the secret or specify a **custom** period.\n5. Click **Add**.\n6. **Copy** and **Save** the **Secret Value**.\n\n### Configure App Permissions\n\n1. In App Registrations, select your new application.\n2. Go to **Manage \\\u003e API Permissions \\\u003e Add a permission**.\n3. Select **Microsoft Graph**.\n4. Add the following **Application** permissions:\n - DeviceManagementApps.Read.All\n - DeviceManagementConfiguration.Read.All\n - DeviceManagementManagedDevices.Read.All\n - DeviceManagementRBAC.Read.All\n - DeviceManagementServiceConfig.Read.All\n - AuditLog.Read.All\n - Device.Read.All\n5. Click **Add permissions**.\n\n| **Important:** After adding permissions, you must click **Grant admin consent** for your tenant to consent to these application permissions (Requires a Global Administrator role).\n\nConfigure a feed in Google SecOps to ingest Microsoft Intune logs\n-----------------------------------------------------------------\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **Add New**.\n3. In the **Feed name** field, enter a name for the feed (for example, **Microsoft Intune Logs**).\n4. Select **Third party API** as the **Source type**.\n5. Select **Microsoft Intune** as the **Log type**.\n6. Click **Next**.\n7. Specify values for the following input parameters:\n - **OAuth Client ID**: Enter the Application ID copied earlier.\n - **OAuth Client Secret**: Enter the Secret Value created earlier.\n - **Tenant ID**: Enter the Directory ID copied earlier.\n - **Asset namespace**: the \\[asset namespace\\] (/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion labels**: the label applied to the events from this feed.\n8. Click **Next**.\n9. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n\nUDM mapping table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]