Hello!
I am quite new to Intune product and its capabilities. I recently got a question that I was not able to find an answer for, so I hope you could assist me here.
Thing is, I want to integrate Intune audit logs with SIEM solution. I understand clearly that MS Graph API could be used for that, and the following options are available:
- export audit events for the actions performed by Intune administrators using ListAuditEvents API method;
- export different reports containing details about Intune configuration, policies, and enrolled devices (like in this example)
However, I am curious about real-time audit events from end devices. For example, if my device became non-compliant, I want (ideally) to see an event for it. If any malware is detected on end device, I want an event for it. The main difference from report is that:
(a) events are generated by Intune automatically;
(b) events are only generated for affected endpoints, e.g. those who became non-compiant or those where malicious file was found.
I understand that I can export all devices through "deviceManagement/managedDevices" API method, then go through each device as described in this sample, and then filter out finally the devices that are non-compliant. However, this is quite a tedious exercise, and I also need to "remember" all devices that were processed already to avoid duplicate alerts for the same issue.
I also hoped that ListAuditEvents might help me, but it looks like it only monitors actions of Intune admins, not events related to endpoints.
So, is there a way to get audit events from end devices instead of getting reports only for these devices?
If such capability is present, where can I find some documentation about this? I tried my best to search on Graph API documentation portal but was unable to find any proper API for that.
I really hope for your kind support here. Just a little explanation would be of great help.
Best regards,
Alex
P.S. I have a feeling my question is a bit repeating this one, but here I'm asking about some events generated by Intune, not mobile OS logs. But if during 2020 OS logs also became available, that would be also good :)