Blog Post

Microsoft Sentinel Blog
3 MIN READ

Secure Working from Home – Deep Insights at Enrolled MEM Assets via Azure Sentinel

Hesham_Saad's avatar
Hesham_Saad
Icon for Microsoft rankMicrosoft
May 28, 2020

Problem Statement>

 

One of the key requirements is to have a complete visibility / insight into the MEM – Intune enrolled devices activities & logs, and hence Azure Sentinel is the key to overcome such challenge / requirement:

  • Audit Logs - shows a record of activities that generate a change in MEM, including create, update (edit), delete, assign, and remote actions.
  • Operational Logs - show details on users and devices that successfully (or failed) to enroll, and details on non-compliant devices.
  • Device Compliance Organizational Logs - show an organizational report for device compliance in Intune, and details on non-compliant devices.

Pre-Requisites & Ingestion Flow>

 

  • An Azure subscription: Azure Sentinel Log Analytics Workspace
  • A Microsoft Endpoint Manager (MEM) environment (tenant) in Azure
  • A user who's a Global Administrator or Intune Service Administrator for the Intune tenant.

 

 

ENABLE Microsoft Endpoint Manager (MEM) DIAGNOSTICS Settings

  1. Sign in to the Azure portal http://portal.azure.com
  2. Ensure that Microsoft.Intune is registered under your subscription before enabling Microsoft Endpoint Manager Diagnostic Settings
  3. Search for Subscriptions, then select your subscription, under settings click on “Resource Providers”, then register “Microsoft Intune”, ensure that status is “Registered” green, might take time to reflect 
  4. Sign in to Microsoft Endpoint Manager center http://endpoint.microsoft.com
  5. Tenant administration > Diagnostic settings > “+ Add diagnostic setting” 
  6. Give the new diagnostic settings a name (e.g: MEMLogs-AzureSentinel), select Send to Log Analytics, and then scroll down.
  7. Select your Azure subscription, the name of the Azure Sentinel Log Analytics Workspace you want to send MEM diagnostic logs to, and all the available MEM log options then click Save
  8. Click Refresh back on the Diagnostic settings screen and you should now see the newly created diagnostics settings pointing to your Azure Sentinel Log Analytics-Workspace. 
  9. To see the logs in the Azure Sentinel Log Analytics Workspace, sign into the Azure portal, search for Azure Sentinel and then select the workspace containing MEM diagnostics logs that you just set up.
  10. Under General, select Logs, then group by Solution and under LogManagement you will be able to find MEM Logs tables:

 

Use Cases:

Couple of useful use- cases to query MEM Logs,

  • Have an overview of all MEM operations completed within a specific time frame. Events that we are particularly interested in are failed sync, delete or wipe operations. For these types of events, we want to be alerted whenever these audit events are triggered, so that we ensure they are expected events. Here is how we have configured alerts using Azure Sentinel Query Logs Alert. Taking the event of “syncDevice ManagedDevice”, we have defined the following query in our Azure Sentinel Log Analytics workspace: 

 

//Count and Summarize MEM Operations
IntuneAuditLogs 
| summarize count() by OperationName

 

 

IntuneAuditLogs 
| where OperationName == " syncDevice ManagedDevice" and ResultType == "Success"

 

 

 

  • Another use case if we want to query the recent MEM operations by specific identity accounts:

 

IntuneAuditLogs 
| top 10 by TimeGenerated
| project Identity, OperationName

 

CREATE MEM Azure Sentinel Workbooks

Now that MEM logs data is being made available to query with Azure Sentinel Log Analytics Workspace, we can make some interesting visualizations workbooks and even alerts based on the data.

Here’s a step by step guide to create a new Azure Sentinel Workbook to audit MEM events and operations.

 

  • Under Azure Sentinel “Threat Management” section click at Workbooks and > + Add workbook, or another way is to go to your Azure Sentinel Log Analytics Workspace and click on Workbooks to select from a ready-made template.

  • Click at “Edit” button and add a new query item or select a template e.g: “Donut & List”

  • Add query item and use the below sample, then unleash the power and build your own visualized workbooks 😊

 

IntuneAuditLogs |summarize Auditevents = count() by OperationName | sort by Auditevents

 

Updated Nov 03, 2021
Version 2.0
  • Hesham_Saad  First of all, this is really cool. I use this to send out alerts with Azure monitor and pick it up with Logic apps for example. 

    But the data within the JSON is wrapped in a table. So all the properties that matters,  are jammed in one column within a row. 

    This is extremely hard to parse. Is there a better way to parse that data into human readable pieces? Thanks!