May 25 2020 01:46 AM
May 25 2020 01:46 AM
I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond to any format in Intune.
Is it possible to match these in some way or figure out if the machine is managed from SharePoint logs?
May 25 2020 04:32 AM
@Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different.
None of my devices appear to match this string.
May 25 2020 04:38 AM
May 25 2020 04:58 AM
@Thijs Lecomte Here is the query:
OfficeActivity | where TimeGenerated > ago(15m) | where OfficeWorkload == "SharePoint" | where Operation in ("FileDeleted", "FileSyncDownloadedFull", "FolderDeleted", "FileDownloaded") | summarize count() by bin(TimeGenerated, 15m), Operation, UserId, Site_Url, ClientIP | where count_ > 100 | extend AccountCustomEntity = UserId | extend IPCustomEntity = ClientIP | extend URLCustomEntity = Site_Url
The info generated here is the same as what I can see in the Audit Logs in Security and Compliance center.
Basically we're alerting for excessive downloads or deletions that might indicate malicious activity.
May 25 2020 05:13 AM
May 25 2020 05:24 AM
May 28 2020 03:02 AM
The plot thickens on this one. So I was investigating another incident this morning and copied the machine id and checked it against Intune. Looking at the hardware properties for the users machines I found an attribute called UDID which is a perfect match :D
Problem is, this attribute is not exposed in the graph api from what I can see so far using the https://graph.microsoft.com/v1.0/users/UPN/managedDevices query (same with beta).
This device was a Mac and this attribute looks to be unique to them. No attributes for Windows have matching Machine IDs.
Machine ID is only an attribute on the FileSyncDownloadedFull operation which isn't a massive deal but it would be nice to be able to correlate Machine IDs with FileDelete and FolderDelete operations too so you can be sure if a mass delete happened from a managed device or not.
Is it possible to have this UDID attribute exposed to the graph api or is there another query I should be using?
Jun 04 2020 05:23 AM
Jun 04 2020 05:48 AM
Jul 17 2020 04:50 AM