Collect Microsoft Azure MDM (Mobile Device Management) Intune logs
This document explains how to ingest Microsoft Intune logs to Google Security Operations using API or Blob Storage. The parser processes the logs, transforming them into a Unified Data Model (UDM). It extracts fields, maps them to UDM attributes, handles various activity types (Create, Delete, Patch, Action), and enriches the data with additional context like device information, user details, and security results. It also performs specific logic for "Reprovision CloudPCModel" operations and handles different identity scenarios.
Before you begin
Make sure you have the following prerequisites:
- Google SecOps instance
- Active Azure tenant
- Privileged access to Azure
- Privileged access to Microsoft Intune
Configure log ingestion using Azure Storage
This section outlines the process of configuring log ingestion from Azure Storage, enabling you to effectively collect and analyze logs from Microsoft Intune.
Configure the Azure Storage Account
- In the Azure console, search for Storage accounts.
- Click Create.
- Specify values for the following input parameters:
- Subscription: select the subscription.
- Resource Group: select the resource group.
- Region: select the region.
- Performance: select the chosen performance (Standard recommended).
- Redundancy: select the chosen redundancy (GRS or LRS recommended).
- Storage account name: enter a name for the new Storage account.
- Click Review + create.
- Review the overview of the account and click Create.
- From the Storage Account Overview page, select submenu Access keys in Security + networking.
- Click Show next to key1 or key2.
- Click Copy to clipboard to copy the key.
- Save the key in a secure location for future reference.
- From the Storage Account Overview page, select submenu Endpoints in Settings.
- Click Copy to clipboard to copy the Blob service endpoint URL, (for example,
https://<storageaccountname>.blob.core.windows.net
). - Save the endpoint URL in a secure location for future reference.
Configure Log Export for Microsoft Intune Logs
- Sign in to the Microsoft Intune web UI.
- Go to Reports > Diagnostic settings.
- Click + Add diagnostic setting.
- Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example,
Intune logs to Google SecOps
) - Select the diagnostic settings for
AuditLogs
,OperationalLogs
,DeviceComplianceOrg
andDevices
. - Select the Archive to a storage account checkbox as the destination.
- Specify the Subscription and Storage Account.
- Diagnostic setting name: Enter a descriptive name (for example,
- Click Save.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds
- Content Hub > Content Packs
Set up feeds from SIEM Settings > Feeds
To configure a feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Azure Storage Audit Logs
). - Select Microsoft Azure Blob Storage as the Source type.
- Select Azure Storage Audit as the Log type.
- Click Next.
Specify values for the following input parameters:
Azure uri: the blob endpoint URL.
ENDPOINT_URL/BLOB_NAME
Replace the following:
ENDPOINT_URL
: the blob endpoint URL. (https://<storageaccountname>.blob.core.windows.net
)BLOB_NAME
: the name of the blob. (such as,<logname>-logs
)
URI is a: select URI_TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
Source deletion options: select deletion option according to your preference.
- Shared key: the access key to the Azure Blob Storage.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Set up feeds from the Content Hub
Specify values for the following fields:
URI is a: select URI_TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
- Source deletion options: select deletion option according to your preference.
Shared key: the access key to the Azure Blob Storage.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Source Type: Method used to collect logs into Google SecOps.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
Configure log ingestion using API
This section details the initial steps for setting up an application within Azure Active Directory to enable API-based log ingestion.
Configure an App on Azure AD
- Sign in to the Azure Portal.
- Optional: If you have access to multiple tenants, use the Directories + subscriptions in the top menu to switch to the correct tenant.
- Search for and select Azure Active Directory.
- Go to Manage > App registrations > New registration.
- Provide the following configuration details:
- Enter a Display Name for the application.
- Specify who can access the application.
- Optional: Don't enter anything for Redirect URI.
- Click Register.
- Copy and Save the Application (client) ID and Directory (tenant) ID from the Overview screen.
Configure Client Secret
- In App Registrations, select your new application.
- Go to Manage > Certificates & secrets > Client secrets > New client secret.
- Add a name for your client secret.
- Add an expiration period of 2 Years for the secret or specify a custom period.
- Click Add.
- Copy and Save the Secret Value.
Configure App Permissions
- In App Registrations, select your new application.
- Go to Manage > API Permissions > Add a permission.
- Select Microsoft Graph.
- Add the following Application permissions:
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementServiceConfig.Read.All
- AuditLog.Read.All
- Device.Read.All
- Click Add permissions.
Configure a feed in Google SecOps to ingest Microsoft Intune logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- In the Feed name field, enter a name for the feed (for example, Microsoft Intune Logs).
- Select Third party API as the Source type.
- Select Microsoft Intune as the Log type.
- Click Next.
- Specify values for the following input parameters:
- OAuth Client ID: Enter the Application ID copied earlier.
- OAuth Client Secret: Enter the Secret Value created earlier.
- Tenant ID: Enter the Directory ID copied earlier.
- Asset namespace: the [asset namespace] (/chronicle/docs/investigation/asset-namespaces).
- Ingestion labels: the label applied to the events from this feed.
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
AADTenantId |
event.idm.read_only_udm.additional.fields.value.string_value |
The value of properties.AADTenantId from the raw log is mapped to this UDM field. A label with key "AADTenantId" is created. |
activityDateTime |
event.idm.read_only_udm.metadata.event_timestamp |
The activityDateTime field is parsed to extract year, month, day, hour, minute, second, and timezone. These extracted fields are used to construct the event_timestamp . |
activityType |
event.idm.read_only_udm.metadata.product_event_type |
Directly mapped to the UDM. |
actor.applicationDisplayName |
event.idm.read_only_udm.principal.application |
Directly mapped to the UDM. |
actor.userId |
event.idm.read_only_udm.principal.user.product_object_id |
Directly mapped to the UDM. |
actor.userPrincipalName |
event.idm.read_only_udm.principal.user.userid |
Directly mapped to the UDM. |
category |
event.idm.read_only_udm.additional.fields.value.string_value |
The value of category from the raw log is mapped to this UDM field. A label with key "category" is created. |
event.idm.read_only_udm.metadata.event_type |
Derived by the parser based on the activityOperationType and other fields. Possible values include USER_RESOURCE_UPDATE_CONTENT , USER_RESOURCE_DELETION , USER_RESOURCE_CREATION , USER_UNCATEGORIZED , STATUS_UPDATE , and GENERIC_EVENT . Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived. The value is set to "Device ID:" concatenated with the value of properties.DeviceId . The value of properties.SerialNumber from the raw log is mapped to this UDM field. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including DeviceManagementAPIName , software1_name , software2.name , software3.name , and software4.name . Multiple software entries can be created. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on the properties.OS field. Possible values are "WINDOWS", "LINUX", and "MAC". The value of properties.OSVersion from the raw log is mapped to this UDM field. The value of the displayName field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of the newValue field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of properties.UserEmail or user_identity or ident.UPN.0.Identity from the raw log is mapped to this UDM field. The value of properties.UserName from the raw log is mapped to this UDM field. The key can be OS_loc or OSDescription . The value of properties.OS_loc or properties.OSDescription from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.displayName and activityType . Derived by the parser based on the activityResult and event_type fields. Possible values include ACTIVE , PENDING_DECOMISSION , DECOMISSIONED , and DEPLOYMENT_STATUS_UNSPECIFIED . Hardcoded to "MICROSOFT_AZURE". The value of resources.0.resourceId from the raw log is mapped to this UDM field. The value of resources.0.type from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.type and activityType . Possible values include DEVICE , ACCESS_POLICY , and TASK . The value of upn_identity from the raw log is mapped to this UDM field. The value of user_identity or user_id from the raw log is mapped to this UDM field. |
|
properties.BatchId |
event.idm.read_only_udm.metadata.product_log_id |
Directly mapped to the UDM. |
resources.0.resourceId |
event.idm.read_only_udm.target.resource.id |
Directly mapped to the UDM. |
resources.0.type |
event.idm.read_only_udm.target.resource.name |
Directly mapped to the UDM. |
tenantId |
event.idm.read_only_udm.additional.fields.value.string_value |
The value of tenantId from the raw log is mapped to this UDM field. A label with key "tenantId" is created. |
Need more help? Get answers from Community members and Google SecOps professionals.