Collect Microsoft Azure MDM (Mobile Device Management) Intune logs

Supported in:

Google secops Siem

This document explains how to ingest Microsoft Intune logs to Google Security Operations using API or Blob Storage. The parser processes the logs, transforming them into a Unified Data Model (UDM). It extracts fields, maps them to UDM attributes, handles various activity types (Create, Delete, Patch, Action), and enriches the data with additional context like device information, user details, and security results. It also performs specific logic for "Reprovision CloudPCModel" operations and handles different identity scenarios.

Before you begin

Make sure you have the following prerequisites:

Google SecOps instance
Active Azure tenant
Privileged access to Azure
Privileged access to Microsoft Intune

Configure log ingestion using Azure Storage

This section outlines the process of configuring log ingestion from Azure Storage, enabling you to effectively collect and analyze logs from Microsoft Intune.

Configure the Azure Storage Account

In the Azure console, search for Storage accounts.
Click Create.
Specify values for the following input parameters:
- Subscription: select the subscription.
- Resource Group: select the resource group.
- Region: select the region.
- Performance: select the chosen performance (Standard recommended).
- Redundancy: select the chosen redundancy (GRS or LRS recommended).
- Storage account name: enter a name for the new Storage account.
Click Review + create.
Review the overview of the account and click Create.
From the Storage Account Overview page, select submenu Access keys in Security + networking.
Click Show next to key1 or key2.
Click Copy to clipboard to copy the key.
Save the key in a secure location for future reference.
From the Storage Account Overview page, select submenu Endpoints in Settings.
Click Copy to clipboard to copy the Blob service endpoint URL, (for example, https://<storageaccountname>.blob.core.windows.net).
Save the endpoint URL in a secure location for future reference.

Configure Log Export for Microsoft Intune Logs

Sign in to the Microsoft Intune web UI.
Go to Reports > Diagnostic settings.
Click + Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, Intune logs to Google SecOps)
- Select the diagnostic settings for AuditLogs, OperationalLogs, DeviceComplianceOrg and Devices.
- Select the Archive to a storage account checkbox as the destination.
- Specify the Subscription and Storage Account.
Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds
Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Azure Storage Audit Logs).
Select Microsoft Azure Blob Storage as the Source type.
Select Azure Storage Audit as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure uri: the blob endpoint URL.
  
  ENDPOINT_URL/BLOB_NAME
  
  Replace the following:
  - ENDPOINT_URL: the blob endpoint URL. (https://<storageaccountname>.blob.core.windows.net)
  - BLOB_NAME: the name of the blob. (such as, <logname>-logs)
- URI is a: select URI_TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
- Source deletion options: select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
- Shared key: the access key to the Azure Blob Storage.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

URI is a: select URI_TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
- Source deletion options: select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
Shared key: the access key to the Azure Blob Storage.

Advanced options

Feed Name: A prepopulated value that identifies the feed.
Source Type: Method used to collect logs into Google SecOps.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.

Configure log ingestion using API

This section details the initial steps for setting up an application within Azure Active Directory to enable API-based log ingestion.

Configure an App on Azure AD

Sign in to the Azure Portal.
Optional: If you have access to multiple tenants, use the Directories + subscriptions in the top menu to switch to the correct tenant.
Search for and select Azure Active Directory.
Go to Manage > App registrations > New registration.
Provide the following configuration details:
- Enter a Display Name for the application.
- Specify who can access the application.
- Optional: Don't enter anything for Redirect URI.
- Click Register.
Copy and Save the Application (client) ID and Directory (tenant) ID from the Overview screen.

Configure Client Secret

In App Registrations, select your new application.
Go to Manage > Certificates & secrets > Client secrets > New client secret.
Add a name for your client secret.
Add an expiration period of 2 Years for the secret or specify a custom period.
Click Add.
Copy and Save the Secret Value.

Configure App Permissions

In App Registrations, select your new application.
Go to Manage > API Permissions > Add a permission.
Select Microsoft Graph.
Add the following Application permissions:
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementServiceConfig.Read.All
- AuditLog.Read.All
- Device.Read.All
Click Add permissions.

Configure a feed in Google SecOps to ingest Microsoft Intune logs

Go to SIEM Settings > Feeds.
Click Add New.
In the Feed name field, enter a name for the feed (for example, Microsoft Intune Logs).
Select Third party API as the Source type.
Select Microsoft Intune as the Log type.
Click Next.
Specify values for the following input parameters:
- OAuth Client ID: Enter the Application ID copied earlier.
- OAuth Client Secret: Enter the Secret Value created earlier.
- Tenant ID: Enter the Directory ID copied earlier.
- Asset namespace: the [asset namespace] (/chronicle/docs/investigation/asset-namespaces).
- Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Log Field	UDM Mapping	Logic
`AADTenantId`	`event.idm.read_only_udm.additional.fields.value.string_value`	The value of `properties.AADTenantId` from the raw log is mapped to this UDM field. A label with key "AADTenantId" is created.
`activityDateTime`	`event.idm.read_only_udm.metadata.event_timestamp`	The `activityDateTime` field is parsed to extract year, month, day, hour, minute, second, and timezone. These extracted fields are used to construct the `event_timestamp`.
`activityType`	`event.idm.read_only_udm.metadata.product_event_type`	Directly mapped to the UDM.
`actor.applicationDisplayName`	`event.idm.read_only_udm.principal.application`	Directly mapped to the UDM.
`actor.userId`	`event.idm.read_only_udm.principal.user.product_object_id`	Directly mapped to the UDM.
`actor.userPrincipalName`	`event.idm.read_only_udm.principal.user.userid`	Directly mapped to the UDM.
`category`	`event.idm.read_only_udm.additional.fields.value.string_value`	The value of `category` from the raw log is mapped to this UDM field. A label with key "category" is created.
	`event.idm.read_only_udm.metadata.event_type`	Derived by the parser based on the `activityOperationType` and other fields. Possible values include `USER_RESOURCE_UPDATE_CONTENT`, `USER_RESOURCE_DELETION`, `USER_RESOURCE_CREATION`, `USER_UNCATEGORIZED`, `STATUS_UPDATE`, and `GENERIC_EVENT`. Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived. The value is set to "Device ID:" concatenated with the value of `properties.DeviceId`. The value of `properties.SerialNumber` from the raw log is mapped to this UDM field. The value of `properties.DeviceName` from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including `DeviceManagementAPIName`, `software1_name`, `software2.name`, `software3.name`, and `software4.name`. Multiple software entries can be created. The value of `properties.DeviceName` from the raw log is mapped to this UDM field. Derived by the parser based on the `properties.OS` field. Possible values are "WINDOWS", "LINUX", and "MAC". The value of `properties.OSVersion` from the raw log is mapped to this UDM field. The value of the `displayName` field within the `modifiedProperties` array of the `resources` array is mapped to this UDM field. The value of the `newValue` field within the `modifiedProperties` array of the `resources` array is mapped to this UDM field. The value of `properties.UserEmail` or `user_identity` or `ident.UPN.0.Identity` from the raw log is mapped to this UDM field. The value of `properties.UserName` from the raw log is mapped to this UDM field. The key can be `OS_loc` or `OSDescription`. The value of `properties.OS_loc` or `properties.OSDescription` from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including `resources.0.displayName` and `activityType`. Derived by the parser based on the `activityResult` and `event_type` fields. Possible values include `ACTIVE`, `PENDING_DECOMISSION`, `DECOMISSIONED`, and `DEPLOYMENT_STATUS_UNSPECIFIED`. Hardcoded to "MICROSOFT_AZURE". The value of `resources.0.resourceId` from the raw log is mapped to this UDM field. The value of `resources.0.type` from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including `resources.0.type` and `activityType`. Possible values include `DEVICE`, `ACCESS_POLICY`, and `TASK`. The value of `upn_identity` from the raw log is mapped to this UDM field. The value of `user_identity` or `user_id` from the raw log is mapped to this UDM field.
`properties.BatchId`	`event.idm.read_only_udm.metadata.product_log_id`	Directly mapped to the UDM.
`resources.0.resourceId`	`event.idm.read_only_udm.target.resource.id`	Directly mapped to the UDM.
`resources.0.type`	`event.idm.read_only_udm.target.resource.name`	Directly mapped to the UDM.
`tenantId`	`event.idm.read_only_udm.additional.fields.value.string_value`	The value of `tenantId` from the raw log is mapped to this UDM field. A label with key "tenantId" is created.

Need more help? Get answers from Community members and Google SecOps professionals.