One of the key requirements is to have a complete visibility / insight into the MEM – Intune enrolled devices activities & logs, and hence Azure Sentinel is the key to overcome such challenge / requirement:
Pre-Requisites & Ingestion Flow>
ENABLE Microsoft Endpoint Manager (MEM) DIAGNOSTICS Settings
Couple of useful use- cases to query MEM Logs,
//Count and Summarize MEM Operations IntuneAuditLogs | summarize count() by OperationName
IntuneAuditLogs | where OperationName == " syncDevice ManagedDevice" and ResultType == "Success"
IntuneAuditLogs | top 10 by TimeGenerated | project Identity, OperationName
Now that MEM logs data is being made available to query with Azure Sentinel Log Analytics Workspace, we can make some interesting visualizations workbooks and even alerts based on the data.
Here’s a step by step guide to create a new Azure Sentinel Workbook to audit MEM events and operations.
IntuneAuditLogs |summarize Auditevents = count() by OperationName | sort by Auditevents
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.