Versions Compared

Old Version 2

changes.mady.by.user Aparna Rr

Saved on

compared with

New Version Current

changes.mady.by.user Aparna Rr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Microsoft Intune

  AZURE_MDM_INTUNE

 API - JSON

C2C (Audit Logs)

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-mdm-intune

Microsoft Intune

  AZURE_MDM_INTUNE

 API - JSON

CyberHub (Operational and Device Compliance Organizational logs)

Device Configuration

Prerequisite

  1. Active Azure subscription

  2. Active Intune License

...

  1. A user who's a Global Administrator or Intune Service Administrator for the Intune tenant

Following are the steps to configure Audit logs. Audit logs are supported via C2C ingestion.

To Register Application

  1. Log in to Azure Portal: https://portal.azure.com

  2. In search bar, enter App registrations.

...

  1. Provide Application (client) ID, Directory (tenant) ID & Client Secret to Adaptive MxDR Service Delivery Lead for Chronicle feed.

Integration Parameters

...

  1. .

To Configure Operational and Device Compliance Organizational logs via CyberHub

Please follow below steps to configure Operational and Device Compliance Organizational logs and use CyberHub collection mechanism:

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Reports > Diagnostics settings. The first time you open it, turn it on. Otherwise, add a setting

...

Name: Enter a name for the diagnostic settings. This setting includes all the properties you enter.

  1. On the next Window, provide appropriate Name. and select OperationalLogs, DeviceComplianceOrg only.

  2. As per customer requirement, either you can store logs in Storage Account or stream the logs to Event Hub.

a. Archive to a storage account

To store logs in Storage Account, select Archive to a storage account and select an existing Subscription and Storage account. 

Adaptive MxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies.

...

b. Stream logs to an event hub

  • To stream logs to Event Hub, select Stream to an event hub.

  • Select Subscription, Event hub namespace, Event hub name and Event hub policy name created during Event Hub. 

...

  1. Use below link to get credentials for Azure Storage and Azure Event HUB.

Get Credentials of Azure Storage and Azure EventHub

Integration Parameters

Audit Logs (C2C):

Property

Default Value

Description

OAUTH CLIENT ID

N/A

The OAuth client ID.

OAUTH CLIENT SECRET

N/A

The client secret.

TENANT ID

N/A

The tenant ID

API FULL PATH

graph.microsoft.com/beta/deviceManagement/auditEvents

API full path

API AUTHENTICATION ENDPOINT

login.microsoftonline.com

The Microsoft Active Directory authentication endpoint.
Eg- https://login.microsoftonline.com/{tenantId}/oauth2/token
Mention the TenantID in the above URL and provide it.

ASSET NAMESPACE

N/A

To assign an asset namespace to all events that are ingested from a particular feed, set the "namespace" field within details. The namespace field is a string.

Operational and Device Compliance Organizational logs (CyberHub):

Via Azure Storage:

Property

Default Value

Description

Logging Source

N/A

Select Storage

eventHubConnectionString

N/A

N/A (keep blank)

consumerGroupName

N/A

N/A (keep blank)

Account Key

Custome value

Access Key to access storage account

Blob Container

N/A

Storage blob Container name
insights-logs-devicecomplianceorg
insights-logs-operationallogs

Storage Account Name

Custom Value

Azure storage account name

Subscription

N/A

Tenant ID that customer wants to be monitored

initialReadPolicy

N/A

Select Beginning to start reading from beginning and End to start reading logs from the end

Via Azure EventHub:

Property

Default Value

Description

Logging Source

N/A

Select EventHub

eventHubConnectionString

N/A

Event hub connection string

consumerGroupName

N/A

Optional and used if consumer Group is other than default

Account Key

Custom Value

Access Key to access storage account

Blob Container

N/A

Storage blob Container name

Storage Account Name

Custom Value

Azure storage account name

Subscription

N/A

Set EventHub name

initialReadPolicy

N/A

N/A (keep default selection)

 

In case of EventHub logging source, storage Account Key/SAS Token, Blob Container, and Storage Account Name are required because the marker for the event hub gets stored in the storage account.

In case of Storage logging source, for each blob container created under storage account there should be separate sensor configuration created in the CyberHub.