Microsoft Intune
About The Device
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. On personal devices, Intune helps make sure your organization's data stays protected and can isolate organization data from personal data.
Device Information
 Entity | Particulars |
---|---|
Vendor Name | Microsoft |
Product Name | Intune |
Type of Device | Cloud |
Collection Method
Log Type | Â Ingestion label | Preferred Logging Protocol - Format | Log Collection Method | Data Source |
---|---|---|---|---|
Microsoft Intune | Â Â AZURE_MDM_INTUNE | Â API - JSON | C2C (Audit Logs) | https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-mdm-intune |
Microsoft Intune | Â Â AZURE_MDM_INTUNE | Â API - JSON | CyberHub (Operational and Device Compliance Organizational logs) | Â |
Device Configuration
Prerequisite
Active Azure subscription
Active Intune License
A user who's a Global Administrator or Intune Service Administrator for the Intune tenant
Following are the steps to configure Audit logs. Audit logs are supported via C2C ingestion.
To Register Application
Log in to Azure Portal: https://portal.azure.com
In search bar, enter App registrations.
Select the App registrations service in the search results.
Select + New registration.
In Register an application, Provide the name of the application.
Select Accounts in this organizational directory only under Supported account types.
Click Register.
Once Application is created, you will see Application (client) ID & Directory (tenant) ID on Overview tab of the application. Copy these IDs for integrations with Chronicle.
To Grant Permissions
Under above registered app, select API permissions, click + Add a permission
Click APIs my organization uses.
Search for Microsoft Graph and click on the search result Microsoft Graph.
Click Application permissions.
Search DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All and DeviceManagementManagedDevices.Read.All permissions and select it.
Click on Add permissions.
Grant admin consent for each permission by clicking Grant admin consent for ACCOUNT
To Add a Client Secret
Navigate back to the main application and select Certificates & secrets.
Click on New client secret and provide description and expiry period for the created secret and click Add.
Please ensure that you save the value of the created secret as it will be displayed only once.
Provide Application (client) ID, Directory (tenant) ID & Client Secret to Adaptive MxDR Service Delivery Lead for Chronicle feed.
To Configure Operational and Device Compliance Organizational logs via CyberHub
Please follow below steps to configure Operational and Device Compliance Organizational logs and use CyberHub collection mechanism:
Sign in to the Microsoft Endpoint Manager admin center.
Select Reports > Diagnostics settings. The first time you open it, turn it on. Otherwise, add a setting
Name: Enter a name for the diagnostic settings. This setting includes all the properties you enter.
On the next Window, provide appropriate Name. and select OperationalLogs, DeviceComplianceOrg only.
As per customer requirement, either you can store logs in Storage Account or stream the logs to Event Hub.
a. Archive to a storage account
To store logs in Storage Account, select Archive to a storage account and select an existing Subscription and Storage account.Â
Adaptive MxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies.
b. Stream logs to an event hub
To stream logs to Event Hub, select Stream to an event hub.
Select Subscription, Event hub namespace, Event hub name and Event hub policy name created during Event Hub.Â
Use below link to get credentials for Azure Storage and Azure Event HUB.
Get Credentials of Azure Storage and Azure EventHub
Integration Parameters
Audit Logs (C2C):
Property | Default Value | Description |
---|---|---|
OAUTH CLIENT ID | N/A | The OAuth client ID. |
OAUTH CLIENT SECRET | N/A | The client secret. |
TENANT ID | N/A | The tenant ID |
API FULL PATH | API full path | |
API AUTHENTICATION ENDPOINT | The Microsoft Active Directory authentication endpoint. | |
ASSET NAMESPACE | N/A | To assign an asset namespace to all events that are ingested from a particular feed, set the |
Operational and Device Compliance Organizational logs (CyberHub):
Via Azure Storage:
Property | Default Value | Description |
---|---|---|
Logging Source | N/A | Select Storage |
eventHubConnectionString | N/A | N/A (keep blank) |
consumerGroupName | N/A | N/A (keep blank) |
Account Key | Custome value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Tenant ID that customer wants to be monitored |
initialReadPolicy | N/A | Select Beginning to start reading from beginning and End to start reading logs from the end |
Via Azure EventHub:
Property | Default Value | Description |
---|---|---|
Logging Source | N/A | Select EventHub |
eventHubConnectionString | N/A | Event hub connection string |
consumerGroupName | N/A | Optional and used if consumer Group is other than default |
Account Key | Custom Value | Access Key to access storage account |
Blob Container | N/A | Storage blob Container name |
Storage Account Name | Custom Value | Azure storage account name |
Subscription | N/A | Set EventHub name |
initialReadPolicy | N/A | N/A (keep default selection) |
Â
In case of EventHub logging source, storage Account Key/SAS Token, Blob Container, and Storage Account Name are required because the marker for the event hub gets stored in the storage account.
In case of Storage logging source, for each blob container created under storage account there should be separate sensor configuration created in the CyberHub.
Â
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.