I’ve updated my original instructions on Connecting Intune to Azure Sentinel due to a recent log addition for Intune. Use those instructions for the complete steps to enabling Azure Sentinel to monitor Intune activity.
A new log type has shown up recently. The new log type is Devices and the table name created is IntuneDevices (as shown in the image).
After the IntuneDevices table is populated, you can use the following KQL query to identify the column names to query against:
IntuneDevices
| getschema…or, just use the following page in the Azure Monitor Log references docs: IntuneDevices
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]