Share via

Intune audit events from end devices

Alex Igonin 26 Reputation points
2021-08-03T20:58:01.42+00:00

Hello!

I am quite new to Intune product and its capabilities. I recently got a question that I was not able to find an answer for, so I hope you could assist me here.

Thing is, I want to integrate Intune audit logs with SIEM solution. I understand clearly that MS Graph API could be used for that, and the following options are available:

  • export audit events for the actions performed by Intune administrators using ListAuditEvents API method;
  • export different reports containing details about Intune configuration, policies, and enrolled devices (like in this example)

However, I am curious about real-time audit events from end devices. For example, if my device became non-compliant, I want (ideally) to see an event for it. If any malware is detected on end device, I want an event for it. The main difference from report is that:
(a) events are generated by Intune automatically;
(b) events are only generated for affected endpoints, e.g. those who became non-compiant or those where malicious file was found.

I understand that I can export all devices through "deviceManagement/managedDevices" API method, then go through each device as described in this sample, and then filter out finally the devices that are non-compliant. However, this is quite a tedious exercise, and I also need to "remember" all devices that were processed already to avoid duplicate alerts for the same issue.
I also hoped that ListAuditEvents might help me, but it looks like it only monitors actions of Intune admins, not events related to endpoints.

So, is there a way to get audit events from end devices instead of getting reports only for these devices?
If such capability is present, where can I find some documentation about this? I tried my best to search on Graph API documentation portal but was unable to find any proper API for that.

I really hope for your kind support here. Just a little explanation would be of great help.

Best regards,
Alex

P.S. I have a feeling my question is a bit repeating this one, but here I'm asking about some events generated by Intune, not mobile OS logs. But if during 2020 OS logs also became available, that would be also good :)

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,743 questions
0 comments
Accepted answer
  1. Jason Sandys 31,196 Reputation points Microsoft Employee
    2021-08-04T03:44:09.453+00:00

    Intune is not a monitoring platform so does not collection general auditing information from individual managed endpoints.

    Depending on the endpoint type some limited information may be collected, e.g., Endpoint Analytics currently collects information on user-impactful events from Windows endpoints. See https://learn.microsoft.com/en-us/mem/analytics/overview.

    There also is some native integration available that could help you connect the dots to a SIEM solution. See https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor for details. Since Intune doesn't collect a huge set of information from managed endpoints though, this may or may not meet your expectations.

    Finally, if you are interested in Defender for Endpoint and SIEM integration, see https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-siem-integration?view=o365-worldwide

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest