Microsoft Sentinel – Ingesting Intune Logs
Last Updated: 27/01/2025
This post details the reasons and method of ingesting Intune logs into Microsoft Sentinel.
Microsoft Sentinel is Microsoft’s cloud-based SIEM & SOAR solution. It gives us the capability to ingest & centralise logs from various solutions and use rules to detect suspicious activities. Additionally, Sentinel gives us a platform to investigate and respond to security incidents.
Microsoft Intune has been around for a while now, being a formidable device management platform. Giving us the capabilities to manage Window and Mac devices, as well as iOS and Android mobile devices.
Intune isn’t listed as a solution in Microsoft Sentinel’s content hub. However, despite this, you can ingest Intune logs into a Log Analytics Workspace and use them within Microsoft Sentinel.
Use Cases
Why should we ingest Intune logs into Microsoft Sentinel? There are a few reasons:
- It allows us to create analytical rules and alerts for Intune. For example, if devices fall out of compliance or if certain changes occur.
- We further centralise all our logs into Microsoft Sentinel, aiding in investigations during incidents.
- We can retain logs for longer within Microsoft Sentinel.
Configuration
Head over to the Microsoft Intune admin center. Navigate to ‘Reports’, then ‘Diagnostic Settings’, followed by ‘+ Add diagnostic setting’
On the Diagnostic Setting page, select the logs you want to Ingest. For the ‘Destination details’ we will want to ‘Send to Log Analytics Workspace’ and then select the Log Analytics Workspace which is attached to our Microsoft Sentinel instance.
This will then update the diagnostics settings and start forwarding the logs into the Log Analytics Workspace.
Since there isn’t a data connector for Intune, you will need to manually check that the data is ingesting into Microsoft Sentinel. You can do this by querying one of the Intune log tables (eg. IntuneDevices)
Note: After configuring the diagnostic settings, It took roughly an hour for the data to start pulling into Microsoft Sentinel. The audits logs were quicker to appear, with the device inventory taking the longest.
Log Analytics Tables
The following tables are used in Microsoft Sentinel:
- IntuneAuditLogs
- Captures configuration changes to Intune.
- IntuneOperationalLogs
- Captures information of compliance state, enrolment status and user information.
- IntuneDeviceComplianceOrg
- Captures details on compliance status of devices.
- IntuneDevices
- Captures inventory information of Intune managed devices.
- Windows365AuditLogs
- Captures configuration changes to W365 machines.
Summary
Ingesting Intune logs gives us the benefit of centralisation and being able to use Microsoft Sentinel as the central platform for detecting and investigating security incidents. However, as with everything, there are normally a few considerations:
- Ingesting Intune logs is charged at the normal ingestion rate and retention rates.
- The number of logs generated seems to be low volume. Although this does depend on the number of devices & changes being made to Intune.
- There is no out of the box analytical rules or workbooks for Intune within Sentinel. However, there is content in the community.
- There are some useful queries in Rod Trent’s GitHub.
I personally think that ingesting Intune logs are useful, its helpful to be able to query devices and obtain additional context when working through an incident. Additionally, being able to create workbooks to report on different metrics is very useful. It also gives us options for creating our own alerts on things like enrolment failure, compliance failures and autopilot failures. Whilst these are not direct security incidents, it contributes to the health and posture of our security and can alert the right teams when actions need to be taken.
Thank you for taking the time to read this, and if you haven’t already please check out my previous blog on how to optimise costs with Microsoft Sentinel.