Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Integrate Azure Intune to forward logs to EventTracker EventTracker v9.x and later
Publication Date: June 16, 2020
1
Integrate Azure Intune to forward logs to EventTracker
Abstract
This guide provides instructions to retrieve the Azure Intune events via Azure event hub and then configure
Azure function app to forward the logs to EventTracker. Once EventTracker receives logs from eventhub,
dashboard and reports can be configured to monitor Azure Intune.
Scope
The configuration details in this guide are consistent with EventTracker version 9.x or above and Azure
Intune.
Audience
Administrators who are assigned the task to monitor Azure Intune events using EventTracker.
The information contained in this document represents the current view of Netsurion on the issues
discussed as of the date of publication. Because Netsurion must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion
cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright Azure Intune is the responsibility of the user. Without
limiting the rights under copyright, this paper may be freely distributed without permission from
Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is
provided.
Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.
© 2020 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
2
Integrate Azure Intune to forward logs to EventTracker
Table of Contents 1. Overview ................................................................................................................................................... 3
2. Integrating Azure Intune with EventTracker .............................................................................................. 3
2.1 Forwarding Event hub data to EventTracker ....................................................................................... 3
2.2 Configuring Azure Intune to stream events to event hub ................................................................... 3
3. EventTracker Knowledge Packs ................................................................................................................. 5
3.1 Saved Searches .................................................................................................................................. 5
3.2 Alerts ................................................................................................................................................. 6
3.3 Flex Reports ....................................................................................................................................... 6
3.4 Dashboards ........................................................................................................................................ 8
4. Importing knowledge pack into EventTracker ......................................................................................... 12
4.1 Saved Searches ................................................................................................................................ 13
4.2 Alerts ............................................................................................................................................... 14
4.3 Parsing Rules .................................................................................................................................... 15
4.4 Flex Reports ..................................................................................................................................... 15
4.5 Knowledge Objects .......................................................................................................................... 17
4.6 Dashboards ...................................................................................................................................... 18
5. Verifying knowledge pack in EventTracker .............................................................................................. 19
5.1 Saved Searches ................................................................................................................................ 19
5.2 Alerts ............................................................................................................................................... 20
5.3 Parsing Rules .................................................................................................................................... 21
5.4 Flex Reports ..................................................................................................................................... 21
5.5 Knowledge Objects .......................................................................................................................... 22
5.6 Dashboards ...................................................................................................................................... 23
3
Integrate Azure Intune to forward logs to EventTracker
1. Overview Azure Intune is a mobile device cloud base management tool, it helps organization to manage their
mobile devices and PC’s anytime from anywhere. It provides an easier access to applications and
resources anytime from any mobile device. Azure Intune is one of the offerings from Mizrosoft Azure
cloud service
EventTracker, when integrated with Azure Intune, collects logs and creates a detailed reports, alerts,
dashboards, and saved searches. These attributes of EventTracker helps user to view/receive the critical
and relevant information with respect to security, operations and compliance.
Reports for example, will contain a detailed summary of an event occurred in Azure Intune like, devices
enrolled, devices removed, compliant status of the enrolled devices, policy and role related operations,
etc.
Alerts on the other hand, allows users to receive a real-time notification or an email for events which are
critical, such as, new device enrollment, device removed or wiped out, if device enrolled is non-compliant,
etc.
Dashboards provide representations of events occurring in Azure Intune. One example of dashboards
could be when a new device is added and does not fulfills the compliance policy.
These attributes or configurations of EventTracker allows administrators to quickly take appropriate
action against any threat/adversaries trying to jeopardize an organizations normal operation.
Prerequisites
• An Azure Subscription and a user who is a global administrator.
• Azure Resource group.
• EventTracker manager public IP address.
• Collect Azure Intune Integration package from EventTracker Support.
2. Integrating Azure Intune with EventTracker Azure Intune can be integrated with EventTracker by streaming the logs to Azure event hub, and from Azure
event hub to EventTracker.
2.1 Forwarding Event hub data to EventTracker Refer to configuration of Azure function app to forward logs to EventTracker.
2.2 Configuring Azure Intune to stream events to event hub 1. Login to portal.azure.com using admin account and create an event hub namespace, if not created.
4
Integrate Azure Intune to forward logs to EventTracker
2. Search and select “Intune” services from All services.
Figure 1
3. From the left panel under “Monitoring”, select “Diagnostics settings”:
Figure 2
4. Within “Diagnostics settings”, click “Add diagnostics settings”:
Figure 3
5. Provide the inputs.
Diagnostics settings name, such as ‘EventTracker_Intune_logs’.
Select all log type, i.e. AuditLogs, OperationalLogs, and DeviceComplainceOrg.
5
Integrate Azure Intune to forward logs to EventTracker
In Destination details section, select “stream to an event hub” and then choose the following
options.
Subscription select the desired Azure subscription.
Event hub namespace select the event hub namespace.
Event hub name select event hub created under event hub namespace.
Event hub policy name select the event hub policy.
6. Click OK/Save.
Figure 4
3. EventTracker Knowledge Packs
3.1 Saved Searches
Saved searches are designed to quickly parse/filter logs and allow user to see only specific events related
to:
• Azure Intune - Audit activities – These are the audit events such as, ‘create mobileapp’, or ‘delete
manageddevice’, or ‘commit content mobileapp’ etc.
• Azure Intune - Non-compliant devices – Events specific to only non-compliant devices in Azure Intune.
• Azure Intune - Device Management – These are events such as new device enrolled, managed device
removed, or managed device wiped out.
6
Integrate Azure Intune to forward logs to EventTracker
• Azure Intune - Policy Management – These are activities associated to policy management, such as,
‘Update Assignment DeviceCompliancePolicy’, ‘Create DeviceCompliancePolicy’, etc.
• Azure Intune - Policy Management – These are activities associated to user role management, such as,
Create RoleDefinition, Create RoleScopeTag, etc.
3.2 Alerts Alerts are triggered when an event received is identified as critical and requires immediate notification.
Such as,
• Azure Intune: A managed device has been deleted - This alert is triggered when a managed device from
Azure Intune gets deleted/removed.
• Azure Intune: Device has been wiped out – This alert is triggered when the files, applications or
information associated to any organization has been wiped out from a managed device.
• Azure Intune: New device added – This alert is triggered when a new device gets enrolled into any
organization via Azure Intune.
• Azure Intune: Non-compliant device detected – This alert is triggered when the managed device/ newly
added device is found to be non-compliant as per policy defined in Azure Intune.
3.3 Flex Reports Reports contains details of an event occurring in Azure Intune, represented in column-value format.
• Azure Intune - Successful MDM user sign in – This report displays a summary of an event, when an
MDM managed user signs into a device for the first time. It contains, device name, OS version, operation
status, Device ID, event datetime, etc.
Figure 5
• Azure Intune - Audit activities - These are the audit events such as, ‘create mobileapp’, or ‘delete
manageddevice’, or ‘commit content mobileapp’ etc. It contains, username, operation name, user
permissions, operation status, log datetime, etc.
7
Integrate Azure Intune to forward logs to EventTracker
Figure 6
• Azure Intune - Device Management – This report includes activities associated to device enrollment,
managed device deletion, and wipe managed device.
Figure 7
• Azure Intune - Role Management - This report presents the detailed summary of activities associated
to user role management, such as, Create RoleDefinition, Create RoleScopeTag, etc. It includes,
username, operation name, user permissions, operation status, log datetime, etc.
Figure 8
• Azure Intune - Policy management - This report presents the detailed summary of activities associated
to policy management, such as, ‘Update Assignment DeviceCompliancePolicy’, ‘Create
DeviceCompliancePolicy’, etc. It includes, username, operation name, user permissions, operation
status, log datetime, etc.
Figure 9
• Azure Intune - Device compliant status – This report summarizes the compliance status of
enrolled/managed devices in Azure Intune. It includes, device name, device owner name, device ID, etc.
8
Integrate Azure Intune to forward logs to EventTracker
Figure 10
3.4 Dashboards
• Azure Intune - Device Management
Figure 11
• Azure Intune - Audit activities
9
Integrate Azure Intune to forward logs to EventTracker
Figure 12
• Azure Intune - Operational activities
Figure 13
• Azure Intune - Audit activities by User
10
Integrate Azure Intune to forward logs to EventTracker
Figure 14
• Azure Intune - Audit activity timeline
Figure 15
• Azure Intune - Device Added
11
Integrate Azure Intune to forward logs to EventTracker
Figure 16
• Azure Intune - Non-compliant devices
Figure 17
12
Integrate Azure Intune to forward logs to EventTracker
4. Importing knowledge pack into EventTracker
Getting the Knowledge Packs
To get the knowledge packs, locate the knowledge pack folder. Follow the below steps:
1. Press “ + R”.
2. Now, type “%et_install_path%\Knowledge Packs” and press “Enter”.
(Note – If, not able to locate the file path as mentioned above, please contact EventTracker support to
get the assistance).
NOTE: Import knowledge pack items in the following sequence:
• Categories
• Alerts
• Parsing Rules
• Flex Reports
• Knowledge Objects
• Dashboards
1. Launch the EventTracker Control Panel.
2. Double click Export-Import Utility.
Figure 18
13
Integrate Azure Intune to forward logs to EventTracker
Figure 19
3. Click the Import tab.
4.1 Saved Searches 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the Category
option, and then click Browse
2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.
“Categories_Azure Intune.iscat” and then click “Import”.
Figure 19
EventTracker displays a success message:
14
Integrate Azure Intune to forward logs to EventTracker
Figure 20
4.2 Alerts 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click Alert option, and
then click Browse.
2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g. “Alerts_ Azure
Intune.isalt” and then click “Import”.
Figure 21
EventTracker displays a success message:
15
Integrate Azure Intune to forward logs to EventTracker
Figure 22
4.3 Parsing Rules 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the “Token
Value” option, and then click Browse.
2. Navigate to the knowledge pack folder and select the file with extension “.istoken”, e.g. “Parsing Rules_
Azure Intune.istoken” and then click “Import”.
Figure 23
4.4 Flex Reports 1. In EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click
Reports option, and choose “New (*.etcrx)”:
16
Integrate Azure Intune to forward logs to EventTracker
Figure 24
2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click “Select File” and
navigate to knowledge pack folder and select file with extension “.etcrx”, e.g. “Reports_ Azure
Intune.etcrx”.
Figure 25
3. Wait while reports are being populated in below tables. Now, select all the relevant reports and then
click Import .
Figure 26
17
Integrate Azure Intune to forward logs to EventTracker
EventTracker displays a success message:
Figure 27
4.5 Knowledge Objects 1. Click Knowledge objects under the Admin option in the EventTracker manager web interface.
Figure 28
2. Next, click the “import object” icon.
Figure 29
3. A pop-up box will appear, click “Browse” in that and navigate to knowledge packs folder (type
“%et_install_path%\Knowledge Packs” in navigation bar) with the extension “.etko”, e.g. “KO_ Azure
Intune.etko” and then click “Upload”.
18
Integrate Azure Intune to forward logs to EventTracker
Figure 30
4. Wait while EventTracker populates all the relevant knowledge objects. Once the objects are displayed,
select the required ones and click “Import”.
Figure 31
4.6 Dashboards 1. Login to EventTracker manager web interface.
2. Navigate to Dashboard → My Dashboard.
3. In “My Dashboard”, Click Import.
Figure 32
19
Integrate Azure Intune to forward logs to EventTracker
Figure 33
4. Click Browse and navigate to knowledge pack folder (type “%et_install_path%\Knowledge Packs” in
navigation bar) where “.etwd”, e.g. “Dashboards_ Azure Intune.etwd” is saved and click “Upload”.
5. Wait while EventTracker populates all the available dashboards. Now, choose “Select All” and click
“Import”.
Figure 34
Figure 35
5. Verifying knowledge pack in EventTracker
5.1 Saved Searches 1. Login to EventTracker manager web interface.
2. Click Admin dropdown, and then click Categories.
3. In Category Tree to view imported categories, scroll down and expand “Azure Intune” group folder to
view the imported categories.
20
Integrate Azure Intune to forward logs to EventTracker
Figure 36
5.2 Alerts 1. In the EventTracker manager web interface, click the Admin dropdown, and then click Alerts.
2. In search box enter “<search criteria> e.g. “Azure Intune” and then click Search.
EventTracker displays an alert related to “Azure Intune”:
Figure 37
21
Integrate Azure Intune to forward logs to EventTracker
5.3 Parsing Rules 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Parsing Rule.
2. In the Parsing Rule tab, click on the “Azure Intune” group folder to view the imported Token Values.
Figure 38
5.4 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.
Figure 39
2. In Reports Configuration pane, select the Defined option.
3. Click on the “Azure Intune” group folder to view the imported reports.
22
Integrate Azure Intune to forward logs to EventTracker
Figure 40
5.5 Knowledge Objects 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.
2. In the Knowledge Object tree, expand the “Azure Intune” group folder to view the imported Knowledge
objects.
Figure 41
23
Integrate Azure Intune to forward logs to EventTracker
5.6 Dashboards
1. In the EventTracker web interface, Click on Home Button and select “My Dashboard”.
Figure 42
2. Select “Customize daslets” and type “Azure Intune” in the search bar.
Figure 43
Figure 44