Skip to content

Microsoft Intune

Overview

Microsoft Intune helps you protect your workforce's corporate data by managing devices and apps. Intune provides mobile device management (MDM) and mobile app management (MAM) from a secure cloud-based service that is administered using the Microsoft Endpoint Manager admin center. Using Intune, you ensure your workforce's corporate resources (data, devices, and apps) are correctly configured, accessed, and updated, meeting your company's compliance policies and requirements.

This setup guide describe how to forward events produced by Microsoft Intune to SEKOIA.IO.

Benefit from SEKOIA.IO built-in rules and upgrade Microsoft Intune with the following detection capabilities out-of-the-box.

SEKOIA.IO x Microsoft Intune on ATT&CK Navigator

Intune Non-Compliant Device

Detects Intune reporting a device in a non-compliant state. This can indicate either a misconfiguration in Intune or a change of configuration on said device.

  • Effort: advanced
Intune Policy Change

Detects edits, deletions or creations made to an organization Intune policies.

  • Effort: intermediate
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Asset management Information about the set of devices found within the network, along with their current software and configurations

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category ``
Type info

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "{\"time\":\"2022-11-16T09:35:22.0835000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"AuditLogs\",\"operationName\":\"Rename device ManagedDevice\",\"properties\":{\"ActivityDate\":\"11/16/2022 9:35:22 AM\",\"ActivityResultStatus\":1,\"ActivityType\":3,\"Actor\":{\"ActorType\":1,\"Application\":\"5926fc8e-304e-4f59-8bed-58ca97cc39a4\",\"ApplicationName\":\"Microsoft Intune portal extension\",\"IsDelegatedAdmin\":false,\"Name\":null,\"ObjectId\":\"d9851461-2e64-43b5-bc4d-a3b3c115c19e\",\"PartnerTenantId\":\"00000000-0000-0000-0000-000000000000\",\"UserPermissions\":[\"*\"],\"UPN\":\"Pipin.Saquet@theShire.com\"},\"AdditionalDetails\":\"\",\"AuditEventId\":\"6f3dfd87-3320-41a1-88ff-672a7e731162\",\"Category\":4,\"RelationId\":null,\"TargetDisplayNames\":[\"<null>\"],\"TargetObjectIds\":[\"fee80c12-4b53-4196-ac97-8e249e749ab3\"],\"Targets\":[{\"ModifiedProperties\":[{\"Name\":\"DeviceManagementAPIVersion\",\"Old\":null,\"New\":\"5022-09-16\"}],\"Name\":null}]},\"resultType\":\"Success\",\"resultDescription\":\"None\",\"correlationId\":\"1012dc54-3990-42a6-854e-15b93f707cd3\",\"identity\":\"Pipin.Saquet@theShire.com\"}",
    "event": {
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-11-16T09:35:22.083500Z",
    "action": {
        "name": "Rename device ManagedDevice",
        "target": "user",
        "type": "AuditLogs"
    },
    "user": {
        "name": "Pipin.Saquet@theShire.com",
        "roles": [
            "*"
        ]
    },
    "related": {
        "user": [
            "Pipin.Saquet@theShire.com"
        ]
    }
}
{
    "message": "{\"time\":\"2022-11-21T14:09:13.8152000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"AuditLogs\",\"operationName\":\"Delete MobileAppAssignment\",\"properties\":{\"ActivityDate\":\"11/21/2022 2:09:13 PM\",\"ActivityResultStatus\":1,\"ActivityType\":1,\"Actor\":{\"ActorType\":1,\"Application\":\"5926fc8e-304e-4f59-8bed-58ca97cc39a4\",\"ApplicationName\":\"Microsoft Intune portal extension\",\"IsDelegatedAdmin\":false,\"Name\":null,\"ObjectId\":\"d9851461-2e64-43b5-bc4d-a3b3c115c19e\",\"PartnerTenantId\":\"00000000-0000-0000-0000-000000000000\",\"UserPermissions\":[\"*\"],\"UPN\":\"Pipin@TheShire.com\"},\"AdditionalDetails\":\"Key = GroupPropertyNamesValue = Target.GroupId Key = IgnoreTruncatePropertyNamesValue = Target.GroupId \",\"AuditEventId\":\"59fa433c-2f2b-4ac6-a2c5-4c88ed70fce6\",\"Category\":5,\"RelationId\":null,\"TargetDisplayNames\":[\"Remove-HPbloatware.ps1\",\"<null>\"],\"TargetObjectIds\":[\"a7c6992d-0260-4d73-8c4c-13b16c0d7638\",\"38b059fb-6e7c-494d-99a9-0f51e6c3cfaa_1_0\"],\"Targets\":[{\"ModifiedProperties\":[],\"Name\":\"Remove-HPbloatware.ps1\"},{\"ModifiedProperties\":[{\"Name\":\"Target.Type\",\"Old\":null,\"New\":\"GroupAssignmentTarget\"},{\"Name\":\"Settings.Type\",\"Old\":null,\"New\":\"Win32LobAppAssignmentSettings\"},{\"Name\":\"Id\",\"Old\":null,\"New\":\"38b059fb-6e7c-494d-99a9-0f51e6c3cfaa_1_0\"},{\"Name\":\"Intent\",\"Old\":null,\"New\":\"Required\"},{\"Name\":\"Target.GroupId\",\"Old\":null,\"New\":\"SDP_MDM_WINDOWSDEVICE(38b059fb-6e7c-494d-99a9-0f51e6c3cfaa)  \"},{\"Name\":\"Target.DeviceAndAppManagementAssignmentFilterId\",\"Old\":null,\"New\":\"<null>\"},{\"Name\":\"Target.DeviceAndAppManagementAssignmentFilterType\",\"Old\":null,\"New\":\"None\"},{\"Name\":\"Settings.Notifications\",\"Old\":null,\"New\":\"ShowAll\"},{\"Name\":\"Settings.DeliveryOptimizationPriority\",\"Old\":null,\"New\":\"NotConfigured\"},{\"Name\":\"Source\",\"Old\":null,\"New\":\"Direct\"},{\"Name\":\"SourceId\",\"Old\":null,\"New\":\"<null>\"},{\"Name\":\"DeviceManagementAPIVersion\",\"Old\":null,\"New\":\"5022-09-01\"}],\"Name\":\"<null>\"}]},\"resultType\":\"Success\",\"resultDescription\":\"None\",\"correlationId\":\"f1e94900-1bc8-48fc-b097-fa23ab9c160f\",\"identity\":\"Pipin@TheShire.com\"}",
    "event": {
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-11-21T14:09:13.815200Z",
    "action": {
        "name": "Delete MobileAppAssignment",
        "target": "user",
        "type": "AuditLogs"
    },
    "user": {
        "name": "Pipin@TheShire.com",
        "roles": [
            "*"
        ]
    },
    "related": {
        "user": [
            "Pipin@TheShire.com"
        ]
    }
}
{
    "message": "{\"time\":\"2022-11-02T15:50:50.9419000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"DeviceComplianceOrg\",\"operationName\":\"DeviceCompliance\",\"resultType\":\"None\",\"properties\":{\"DeviceName\":\"DESKTOP-086N6KI\",\"UPN\":\"Pipin.Saquet@theShire.com\",\"ComplianceState\":\"1\",\"ComplianceState_loc\":\"Compliant\",\"OSDescription\":\"Windows\",\"OSVersion\":\"10.0.19044.2130\",\"OS\":\"Windows\",\"OS_loc\":\"Windows\",\"OwnerType\":1,\"OwnerType_loc\":\"Company\",\"DeviceId\":\"06334044-1a53-47d6-b6f8-ec9dcba8fa93\",\"LastContact\":\"2022-10-28 08:27:37.0000000\",\"UserId\":\"41ab6092-2435-4ed0-a28b-d638523d096e\",\"IMEI\":\"\",\"SerialNumber\":\"5CG21492VW\",\"RetireAfterDatetime\":\"\",\"ManagementAgents\":2,\"ManagementAgents_loc\":\"MDM\",\"DeviceType\":1,\"UserName\":\"Saquet Pipin\",\"InGracePeriodUntil\":\"9999-12-31 23:59:59.0000000\",\"DeviceHealthThreatLevel\":null,\"DeviceHealthThreatLevel_loc\":\"Unknown\",\"UserEmail\":\"Pipin.Saquet@theShire.com\",\"BatchId\":\"9ed4cac5-3d86-4760-980d-f1331dfc5ee9\",\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\"}}",
    "event": {
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-11-02T15:50:50.941900Z",
    "action": {
        "name": "DeviceCompliance",
        "target": "user",
        "type": "DeviceComplianceOrg"
    },
    "host": {
        "id": "06334044-1a53-47d6-b6f8-ec9dcba8fa93",
        "os": {
            "full": "Windows",
            "version": "10.0.19044.2130"
        }
    },
    "user": {
        "email": "Pipin.Saquet@theShire.com",
        "id": "2b9f48a7-75d9-4a72-9b2e-16fd38e121ef",
        "name": "Saquet Pipin"
    },
    "related": {
        "user": [
            "Saquet Pipin"
        ]
    }
}
{
    "message": "{\"time\":\"2022-11-17T07:39:02.4103000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"Devices\",\"operationName\":\"Devices\",\"resultType\":\"None\",\"properties\":{\"DeviceId\":\"a2f25343-1d87-4876-9e72-de6111b614e5\",\"DeviceName\":\"Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM\",\"UPN\":\"Pipin.Saquet@theShire.com\",\"LastContact\":\"2022-11-17 07:03:14.6829201\",\"OSVersion\":\"12.0\",\"OS\":\"Android (Personally-Owned Work Profile)\",\"CompliantState\":\"Compliant\",\"Ownership\":\"Personal\",\"ManagedBy\":\"Intune\",\"Model\":\"SM-G996B\",\"SerialNumber\":\"0\",\"Manufacturer\":\"samsung\",\"CreatedDate\":\"2022-10-17 14:23:27.0091131\",\"DeviceState\":\"Managed\",\"UserEmail\":\"Pipin.Saquet@theShire.com\",\"UserName\":\"Pipin.Saquet\",\"IMEI\":\"88888\",\"PhoneNumber\":\"+*******0016\",\"DeviceRegistrationState\":\"Registered\",\"ReferenceId\":\"5f02959f-d014-4f53-a1be-892a7e7dd450\",\"ManagedDeviceName\":\"Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM\",\"GraphDeviceIsManaged\":true,\"CategoryName\":\"\",\"EncryptionStatusString\":\"True\",\"SubscriberCarrierNetwork\":\"Orange F\",\"JoinType\":\"Azure AD registered\",\"SupervisedStatusString\":\"False\",\"WifiMacAddress\":\"aaa:ffff\",\"StorageTotal\":0,\"StorageFree\":0,\"AndroidPatchLevel\":\"2022-10-01\",\"MEID\":\"\",\"InGracePeriodUntil\":\"9999-12-31 23:59:59.9999999\",\"JailBroken\":\"false\",\"SkuFamily\":\"\",\"EasID\":\"afw72216560A482C5F77A4E4A9E38E58\",\"PrimaryUser\":\"a7b9fde1-d8d5-438b-9516-7ef639dfe244\",\"BatchId\":\"3068a7ce-6e3a-438f-a943-634dd1412bc5\",\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\"}}",
    "event": {
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-11-17T07:39:02.410300Z",
    "action": {
        "name": "Devices",
        "target": "user",
        "type": "Devices"
    },
    "host": {
        "id": "a2f25343-1d87-4876-9e72-de6111b614e5",
        "mac": [
            "aaa:ffff"
        ],
        "name": "Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM",
        "type": "SM-G996B",
        "os": {
            "full": "Android (Personally-Owned Work Profile)",
            "version": "12.0"
        }
    },
    "microsoft": {
        "intune": {
            "compliant_state": "Compliant"
        }
    },
    "service": {
        "name": "Intune"
    },
    "source": {
        "mac": "aaa:ffff"
    },
    "user": {
        "email": "Pipin.Saquet@theShire.com",
        "id": "2b9f48a7-75d9-4a72-9b2e-16fd38e121ef",
        "name": "Pipin.Saquet"
    },
    "related": {
        "user": [
            "Pipin.Saquet"
        ]
    }
}
{
    "message": "{\"time\":\"2022-11-18T09:04:24.7065000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"OperationalLogs\",\"operationName\":\"Compliance\",\"resultType\":\"None\",\"properties\":{\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AlertDisplayName\":\"Managed Device Pipin.Saquet_Windows_10/4/2022_12:43 PM is not Compliant\",\"AlertType\":\"Managed Device Not Compliant\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"Description\":\"Windows10CompliancePolicy.AntivirusRequired_IID_aae45eb0-5edb-fc0b-7adf-47a5d6b12208||||Windows10CompliancePolicy.AntivirusRequired||Equals 0||2||./Vendor/MSFT/DeviceStatus/Antivirus/Status\",\"DeviceDnsDomain\":\"\",\"DeviceHostName\":\"TheShire-W744\",\"IntuneDeviceId\":\"45241578-2168-4649-9edc-2e9025b699ac\",\"DeviceName\":\"Pipin.Saquet_Windows_10/4/2022_12:43 PM\",\"DeviceNetBiosName\":\"TheShire-W744\",\"DeviceOperatingSystem\":\"Windows 10.0.19044.2251\",\"ScaleUnit\":\"AMSUB0502\",\"ScenarioName\":\"Microsoft.Management.Services.Diagnostics.SLAEvents.DeviceNotInComplianceSecurityAlert\",\"StartTimeUtc\":\"2022-11-18T09:04:24.7065Z\",\"UserName\":\"Pipin.Saquet\",\"UPNSuffix\":\"TheShire.com\",\"UserDisplayName\":\"Saquet Saquet\",\"IntuneUserId\":\"7d5c7f0f-8740-4e9d-96a9-5c2d4baf1d70\",\"OperationalLogCategory\":\"DeviceCompliance\"}}",
    "event": {
        "reason": "Windows10CompliancePolicy.AntivirusRequired_IID_aae45eb0-5edb-fc0b-7adf-47a5d6b12208||||Windows10CompliancePolicy.AntivirusRequired||Equals 0||2||./Vendor/MSFT/DeviceStatus/Antivirus/Status",
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-11-18T09:04:24.706500Z",
    "action": {
        "name": "Compliance",
        "target": "user",
        "type": "OperationalLogs"
    },
    "host": {
        "name": "TheShire-W744"
    },
    "user": {
        "id": "2b9f48a7-75d9-4a72-9b2e-16fd38e121ef",
        "name": "Pipin.Saquet"
    },
    "related": {
        "user": [
            "Pipin.Saquet"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
action.name keyword The name of the action
action.target keyword The target of the action
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
host.id keyword Unique host id.
host.mac keyword Host MAC addresses.
host.name keyword Name of the host.
host.os.full keyword Operating system name, including the version or code name.
host.os.version keyword Operating system version as a raw string.
host.type keyword Type of host.
microsoft.intune.compliant_state keyword Intune compliant status
network.application keyword Application level protocol name.
service.name keyword Name of the service.
source.ip ip IP address of the source.
source.mac keyword MAC address of the source.
user.email keyword User email address.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.roles keyword Array of user roles at the time of the event.

Configure

Prerequisites

To forward events to SEKOIA.IO, create an Event hub namespace and an Event hub with a consumergroup.

Once created, in your EventHubs, go to Setting > Shared access policies. Create a new policy with the option Listen then copy the Connection string-primary key.

Create a Storage accounts or use an existing one. Go to Data storage > containers and create a new container. Then go to Security + networking > Access keys and copy the key1 Connection string.

Configure Microsoft Intune door to stream its logs to the EventHub with this guide.

Create the intake

Go to the intake page and create a new intake from the format Microsoft Intune.

Pull events

Go to the playbook page and create a new playbook with the Consume Eventhub messages.

Set up the trigger configuration with the EventHub's Connection string-primary key, the hub name, the consumer group, the storage's Connection string-primary key and the container name.

Start the playbook and enjoy your events.

Further Readings