We have some deeper integration coming for all endpoints in the future for Azure Sentinel through the standard ATP, DATP, and etc. connectors, but for now you can connect your Intune/Endpoint Manager tenant to Azure Sentinel pretty easily to get started sifting through the available data. It takes less than a few minutes to set it up and see a new Intune data table show up in Azure Sentinel.
How to do it…
Open the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) and navigate the menu to Reports, then Diagnostic Settings.
Create a new Diagnostic Setting similar to the following but ensure that your own Subscription and Log Analytics Workspace (for Azure Sentinel) is selected. Also, make sure to select all log types (AuditLogs, OperationalLogs, DeviceComplianceOrg, and Devices).
Once the Diagnostic Setting is created, saved, and enabled, as long as there is activity being recorded in the Intune tenant new data tables called IntuneAuditLogs, IntuneDeviceComplianceOrg, IntuneOperationalLogs, and IntuneDevices will show up in the list in Azure Sentinel under the LogManagement area.
For today’s P.S.: I’ve also placed a few Intune-specific Workbooks for Azure Sentinel in my GitHub repository. Feel free to import them, use them, make modifications, etc., etc.
ALSO, see the “Digging Deeper into Intune” article as a next step. There’s plenty of queries shown there (with a link) to get started monitoring security for your Intune-managed devices.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]