Collect Microsoft Azure MDM (Mobile Device Management) Intune logs

This document explains how to ingest Microsoft Intune logs to Google Security Operations using API or Blob Storage. The parser processes the logs, transforming them into a Unified Data Model (UDM). It extracts fields, maps them to UDM attributes, handles various activity types (Create, Delete, Patch, Action), and enriches the data with additional context like device information, user details, and security results. It also performs specific logic for "Reprovision CloudPCModel" operations and handles different identity scenarios.

Before you begin

Make sure you have the following prerequisites:

• Google SecOps instance
• Active Azure tenant
• Privileged access to Azure
• Privileged access to Microsoft Intune

Configure log ingestion using Azure Storage

This section outlines the process of configuring log ingestion from Azure Storage, enabling you to effectively collect and analyze logs from Microsoft Intune.

Configure the Azure Storage Account

1. In the Azure console, search for Storage accounts.
2. Click Create.
3. Specify values for the following input parameters:
   • Subscription: select the subscription.
   • Resource Group: select the resource group.
   • Region: select the region.
   • Performance: select the chosen performance (Standard recommended).
   • Redundancy: select the chosen redundancy (GRS or LRS recommended).
   • Storage account name: enter a name for the new Storage account.
4. Click Review + create.
5. Review the overview of the account and click Create.
6. From the Storage Account Overviewpage, select submenu Access keysin Security + networking.
7. Click Shownext to key1or key2.
8. Click Copy to clipboardto copy the key.
9. Save the key in a secure location for future reference.
10. From the Storage Account Overviewpage, select submenu Endpointsin Settings.
11. Click Copy to clipboardto copy the Blob serviceendpoint URL, (for example, https://<storageaccountname>.blob.core.windows.net ).
12. Save the endpoint URL in a secure location for future reference.

Configure Log Export for Microsoft Intune Logs

1. Sign in to the Microsoft Intune web UI.
2. Go to Reports > Diagnostic settings.
3. Click + Add diagnostic setting.
4. Provide the following configuration details:
   • Diagnostic setting name: Enter a descriptive name (for example, Intune logs to Google SecOps )
   • Select the diagnostic settings for AuditLogs , OperationalLogs , DeviceComplianceOrg and Devices .
   • Select the Archive to a storage accountcheckbox as the destination.
   • Specify the Subscriptionand Storage Account.
5. Click Save.

Set up feeds

To configure a feed, follow these steps:

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed namefield, enter a name for the feed (for example, Azure Storage Audit Logs ).
5. Select Microsoft Azure Blob Storage V2as the Source type.
6. Select Azure Storage Audit as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • Azure uri: the blob endpoint URL.

     ENDPOINT_URL/BLOB_NAME

     Replace the following:

     • ENDPOINT_URL : the blob endpoint URL. ( https://<storageaccountname>.blob.core.windows.net )
     • BLOB_NAME : the name of the blob. (such as, <logname>-logs )

   • Source deletion options: select deletion option according to your preference.

9. Click Next.

10. Review your new feed configuration in the Finalizescreen, and then click Submit.

Configure log ingestion using API

This section details the initial steps for setting up an application within Azure Active Directory to enable API-based log ingestion.

Configure an App on Azure AD

1. Sign in to the Azure Portal.
2. Optional: If you have access to multiple tenants, use the Directories + subscriptionsin the top menu to switch to the correct tenant.
3. Search for and select Azure Active Directory.
4. Go to Manage > App registrations > New registration.
5. Provide the following configuration details:
   • Enter a Display Namefor the application.
   • Specify who can access the application.
   • Optional: Don't enter anything for Redirect URI.
   • Click Register.
6. Copy and Save the Application (client) IDand Directory (tenant) IDfrom the Overviewscreen.

Configure Client Secret

1. In App Registrations, select your new application.
2. Go to Manage > Certificates & secrets > Client secrets > New client secret.
3. Add a namefor your client secret.
4. Add an expirationperiod of 2 Yearsfor the secret or specify a customperiod.
5. Click Add.
6. Copyand Savethe Secret Value.

Configure App Permissions

1. In App Registrations, select your new application.
2. Go to Manage > API Permissions > Add a permission.
3. Select Microsoft Graph.
4. Add the following Applicationpermissions:
   • DeviceManagementApps.Read.All
   • DeviceManagementConfiguration.Read.All
   • DeviceManagementManagedDevices.Read.All
   • DeviceManagementRBAC.Read.All
   • DeviceManagementServiceConfig.Read.All
   • AuditLog.Read.All
   • Device.Read.All
5. Click Add permissions.

Configure a feed in Google SecOps to ingest Microsoft Intune logs

1. Go to SIEM Settings > Feeds.
2. Click Add New.
3. In the Feed namefield, enter a name for the feed (for example, Microsoft Intune Logs).
4. Select Third party APIas the Source type.
5. Select Microsoft Intuneas the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • OAuth Client ID: Enter the Application ID copied earlier.
   • OAuth Client Secret: Enter the Secret Value created earlier.
   • Tenant ID: Enter the Directory ID copied earlier.
   • Asset namespace: the [asset namespace] (/chronicle/docs/investigation/asset-namespaces).
   • Ingestion labels: the label applied to the events from this feed.
8. Click Next.
9. Review the feed configuration in the Finalizescreen, and then click Submit.

UDM mapping table

Log Field	UDM Mapping	Logic
AADTenantId	event.idm.read_only_udm.additional.fields.value.string_value	The value of properties.AADTenantId from the raw log is mapped to this UDM field. A label with key "AADTenantId" is created.
activityDateTime	event.idm.read_only_udm.metadata.event_timestamp	The activityDateTime field is parsed to extract year, month, day, hour, minute, second, and timezone. These extracted fields are used to construct the event_timestamp .
activityType	event.idm.read_only_udm.metadata.product_event_type	Directly mapped to the UDM.
actor.applicationDisplayName	event.idm.read_only_udm.principal.application	Directly mapped to the UDM.
actor.userId	event.idm.read_only_udm.principal.user.product_object_id	Directly mapped to the UDM.
actor.userPrincipalName	event.idm.read_only_udm.principal.user.userid	Directly mapped to the UDM.
category	event.idm.read_only_udm.additional.fields.value.string_value	The value of category from the raw log is mapped to this UDM field. A label with key "category" is created.
	event.idm.read_only_udm.metadata.event_type	Derived by the parser based on the activityOperationType and other fields. Possible values include USER_RESOURCE_UPDATE_CONTENT , USER_RESOURCE_DELETION , USER_RESOURCE_CREATION , USER_UNCATEGORIZED , STATUS_UPDATE , and GENERIC_EVENT . Hardcoded to "AZURE_MDM_INTUNE". Hardcoded to "AZURE MDM INTUNE". Hardcoded to "Microsoft". Derived. The value is set to "Device ID:" concatenated with the value of properties.DeviceId . The value of properties.SerialNumber from the raw log is mapped to this UDM field. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including DeviceManagementAPIName , software1_name , software2.name , software3.name , and software4.name . Multiple software entries can be created. The value of properties.DeviceName from the raw log is mapped to this UDM field. Derived by the parser based on the properties.OS field. Possible values are "WINDOWS", "LINUX", and "MAC". The value of properties.OSVersion from the raw log is mapped to this UDM field. The value of the displayName field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of the newValue field within the modifiedProperties array of the resources array is mapped to this UDM field. The value of properties.UserEmail or user_identity or ident.UPN.0.Identity from the raw log is mapped to this UDM field. The value of properties.UserName from the raw log is mapped to this UDM field. The key can be OS_loc or OSDescription . The value of properties.OS_loc or properties.OSDescription from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.displayName and activityType . Derived by the parser based on the activityResult and event_type fields. Possible values include ACTIVE , PENDING_DECOMISSION , DECOMISSIONED , and DEPLOYMENT_STATUS_UNSPECIFIED . Hardcoded to "MICROSOFT_AZURE". The value of resources.0.resourceId from the raw log is mapped to this UDM field. The value of resources.0.type from the raw log is mapped to this UDM field. Derived by the parser based on several fields, including resources.0.type and activityType . Possible values include DEVICE , ACCESS_POLICY , and TASK . The value of upn_identity from the raw log is mapped to this UDM field. The value of user_identity or user_id from the raw log is mapped to this UDM field.
properties.BatchId	event.idm.read_only_udm.metadata.product_log_id	Directly mapped to the UDM.
resources.0.resourceId	event.idm.read_only_udm.target.resource.id	Directly mapped to the UDM.
resources.0.type	event.idm.read_only_udm.target.resource.name	Directly mapped to the UDM.
tenantId	event.idm.read_only_udm.additional.fields.value.string_value	The value of tenantId from the raw log is mapped to this UDM field. A label with key "tenantId" is created.

Need more help? Get answers from Community members and Google SecOps professionals.