Integrate Azure Intune to forward logs to EventTracker · 5 Integrate Azure Intune to forward logs to EventTracker In Destination details section, select “stream to an event hub”

Integrate Azure Intune to forward logs to EventTracker EventTracker v9.x and later

Publication Date: June 16, 2020

1

Integrate Azure Intune to forward logs to EventTracker

Abstract

This guide provides instructions to retrieve the Azure Intune events via Azure event hub and then configure

Azure function app to forward the logs to EventTracker. Once EventTracker receives logs from eventhub,

dashboard and reports can be configured to monitor Azure Intune.

Scope

The configuration details in this guide are consistent with EventTracker version 9.x or above and Azure

Intune.

Audience

Administrators who are assigned the task to monitor Azure Intune events using EventTracker.

The information contained in this document represents the current view of Netsurion on the issues

discussed as of the date of publication. Because Netsurion must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion

cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright Azure Intune is the responsibility of the user. Without

limiting the rights under copyright, this paper may be freely distributed without permission from

Netsurion, if its content is unaltered, nothing is added to the content and credit to Netsurion is

provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Netsurion, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or should

be inferred.

© 2020 Netsurion. All rights reserved. The names of actual companies and products mentioned

herein may be the trademarks of their respective owners.

2


Table of Contents 1. Overview ................................................................................................................................................... 3

2. Integrating Azure Intune with EventTracker .............................................................................................. 3

2.1 Forwarding Event hub data to EventTracker ....................................................................................... 3

2.2 Configuring Azure Intune to stream events to event hub ................................................................... 3

3. EventTracker Knowledge Packs ................................................................................................................. 5

3.1 Saved Searches .................................................................................................................................. 5

3.2 Alerts ................................................................................................................................................. 6

3.3 Flex Reports ....................................................................................................................................... 6

3.4 Dashboards ........................................................................................................................................ 8

4. Importing knowledge pack into EventTracker ......................................................................................... 12

4.1 Saved Searches ................................................................................................................................ 13

4.2 Alerts ............................................................................................................................................... 14

4.3 Parsing Rules .................................................................................................................................... 15

4.4 Flex Reports ..................................................................................................................................... 15

4.5 Knowledge Objects .......................................................................................................................... 17

4.6 Dashboards ...................................................................................................................................... 18

5. Verifying knowledge pack in EventTracker .............................................................................................. 19

5.1 Saved Searches ................................................................................................................................ 19

5.2 Alerts ............................................................................................................................................... 20

5.3 Parsing Rules .................................................................................................................................... 21

5.4 Flex Reports ..................................................................................................................................... 21

5.5 Knowledge Objects .......................................................................................................................... 22

5.6 Dashboards ...................................................................................................................................... 23

3


1. Overview Azure Intune is a mobile device cloud base management tool, it helps organization to manage their

mobile devices and PC’s anytime from anywhere. It provides an easier access to applications and

resources anytime from any mobile device. Azure Intune is one of the offerings from Mizrosoft Azure

cloud service

EventTracker, when integrated with Azure Intune, collects logs and creates a detailed reports, alerts,

dashboards, and saved searches. These attributes of EventTracker helps user to view/receive the critical

and relevant information with respect to security, operations and compliance.

Reports for example, will contain a detailed summary of an event occurred in Azure Intune like, devices

enrolled, devices removed, compliant status of the enrolled devices, policy and role related operations,

etc.

Alerts on the other hand, allows users to receive a real-time notification or an email for events which are

critical, such as, new device enrollment, device removed or wiped out, if device enrolled is non-compliant,

etc.

Dashboards provide representations of events occurring in Azure Intune. One example of dashboards

could be when a new device is added and does not fulfills the compliance policy.

These attributes or configurations of EventTracker allows administrators to quickly take appropriate

action against any threat/adversaries trying to jeopardize an organizations normal operation.

Prerequisites

• An Azure Subscription and a user who is a global administrator.

• Azure Resource group.

• EventTracker manager public IP address.

• Collect Azure Intune Integration package from EventTracker Support.

2. Integrating Azure Intune with EventTracker Azure Intune can be integrated with EventTracker by streaming the logs to Azure event hub, and from Azure

event hub to EventTracker.

2.1 Forwarding Event hub data to EventTracker Refer to configuration of Azure function app to forward logs to EventTracker.

2.2 Configuring Azure Intune to stream events to event hub 1. Login to portal.azure.com using admin account and create an event hub namespace, if not created.

mailto:[email protected]

https://www.eventtracker.com/EventTracker/media/EventTracker/Files/support-docs/How-to-Configure-Azure-services-event-to-event-hub-to-forward-logs-to-EventTracker.pdf#%5B%7B%22num%22%3A44%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C38%2C711%2C0%5D

portal.azure.com

https://www.eventtracker.com/EventTracker/media/EventTracker/Files/support-docs/How-to-Configure-Azure-services-event-to-event-hub-to-forward-logs-to-EventTracker.pdf#%5B%7B%22num%22%3A35%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C38%2C510%2C0%5D

4


2. Search and select “Intune” services from All services.

Figure 1

3. From the left panel under “Monitoring”, select “Diagnostics settings”:

Figure 2

4. Within “Diagnostics settings”, click “Add diagnostics settings”:

Figure 3

5. Provide the inputs.

Diagnostics settings name, such as ‘EventTracker_Intune_logs’.

Select all log type, i.e. AuditLogs, OperationalLogs, and DeviceComplainceOrg.

5


In Destination details section, select “stream to an event hub” and then choose the following

options.

Subscription select the desired Azure subscription.

Event hub namespace select the event hub namespace.

Event hub name select event hub created under event hub namespace.

Event hub policy name select the event hub policy.

6. Click OK/Save.

Figure 4

3. EventTracker Knowledge Packs

3.1 Saved Searches

Saved searches are designed to quickly parse/filter logs and allow user to see only specific events related

to:

• Azure Intune - Audit activities – These are the audit events such as, ‘create mobileapp’, or ‘delete

manageddevice’, or ‘commit content mobileapp’ etc.

• Azure Intune - Non-compliant devices – Events specific to only non-compliant devices in Azure Intune.

• Azure Intune - Device Management – These are events such as new device enrolled, managed device

removed, or managed device wiped out.

6


• Azure Intune - Policy Management – These are activities associated to policy management, such as,

‘Update Assignment DeviceCompliancePolicy’, ‘Create DeviceCompliancePolicy’, etc.

• Azure Intune - Policy Management – These are activities associated to user role management, such as,

Create RoleDefinition, Create RoleScopeTag, etc.

3.2 Alerts Alerts are triggered when an event received is identified as critical and requires immediate notification.

Such as,

• Azure Intune: A managed device has been deleted - This alert is triggered when a managed device from

Azure Intune gets deleted/removed.

• Azure Intune: Device has been wiped out – This alert is triggered when the files, applications or

information associated to any organization has been wiped out from a managed device.

• Azure Intune: New device added – This alert is triggered when a new device gets enrolled into any

organization via Azure Intune.

• Azure Intune: Non-compliant device detected – This alert is triggered when the managed device/ newly

added device is found to be non-compliant as per policy defined in Azure Intune.

3.3 Flex Reports Reports contains details of an event occurring in Azure Intune, represented in column-value format.

• Azure Intune - Successful MDM user sign in – This report displays a summary of an event, when an

MDM managed user signs into a device for the first time. It contains, device name, OS version, operation

status, Device ID, event datetime, etc.

Figure 5

• Azure Intune - Audit activities - These are the audit events such as, ‘create mobileapp’, or ‘delete

manageddevice’, or ‘commit content mobileapp’ etc. It contains, username, operation name, user

permissions, operation status, log datetime, etc.

7


Figure 6

• Azure Intune - Device Management – This report includes activities associated to device enrollment,

managed device deletion, and wipe managed device.

Figure 7

• Azure Intune - Role Management - This report presents the detailed summary of activities associated

to user role management, such as, Create RoleDefinition, Create RoleScopeTag, etc. It includes,

username, operation name, user permissions, operation status, log datetime, etc.

Figure 8

• Azure Intune - Policy management - This report presents the detailed summary of activities associated

to policy management, such as, ‘Update Assignment DeviceCompliancePolicy’, ‘Create

DeviceCompliancePolicy’, etc. It includes, username, operation name, user permissions, operation

status, log datetime, etc.

Figure 9

• Azure Intune - Device compliant status – This report summarizes the compliance status of

enrolled/managed devices in Azure Intune. It includes, device name, device owner name, device ID, etc.

8


Figure 10

3.4 Dashboards

• Azure Intune - Device Management

Figure 11

• Azure Intune - Audit activities

9


Figure 12

• Azure Intune - Operational activities

Figure 13

• Azure Intune - Audit activities by User

10


Figure 14

• Azure Intune - Audit activity timeline

Figure 15

• Azure Intune - Device Added

11


Figure 16

• Azure Intune - Non-compliant devices

Figure 17

12


4. Importing knowledge pack into EventTracker

Getting the Knowledge Packs

To get the knowledge packs, locate the knowledge pack folder. Follow the below steps:

1. Press “ + R”.

2. Now, type “%et_install_path%\Knowledge Packs” and press “Enter”.

(Note – If, not able to locate the file path as mentioned above, please contact EventTracker support to

get the assistance).

NOTE: Import knowledge pack items in the following sequence:

• Categories

• Alerts

• Parsing Rules

• Flex Reports

• Knowledge Objects

• Dashboards

1. Launch the EventTracker Control Panel.

2. Double click Export-Import Utility.

Figure 18

mailto:[email protected]

13


Figure 19

3. Click the Import tab.

4.1 Saved Searches 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the Category

option, and then click Browse

2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.

“Categories_Azure Intune.iscat” and then click “Import”.

Figure 19

EventTracker displays a success message:

14


Figure 20

4.2 Alerts 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click Alert option, and

then click Browse.

2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g. “Alerts_ Azure

Intune.isalt” and then click “Import”.

Figure 21


15


Figure 22

4.3 Parsing Rules 1. Once you have opened “Export Import Utility” via “EventTracker Control Panel”, click the “Token

Value” option, and then click Browse.

2. Navigate to the knowledge pack folder and select the file with extension “.istoken”, e.g. “Parsing Rules_

Azure Intune.istoken” and then click “Import”.

Figure 23

4.4 Flex Reports 1. In EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click

Reports option, and choose “New (*.etcrx)”:

16


Figure 24

2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click “Select File” and

navigate to knowledge pack folder and select file with extension “.etcrx”, e.g. “Reports_ Azure

Intune.etcrx”.

Figure 25

3. Wait while reports are being populated in below tables. Now, select all the relevant reports and then

click Import .

Figure 26

17



Figure 27

4.5 Knowledge Objects 1. Click Knowledge objects under the Admin option in the EventTracker manager web interface.

Figure 28

2. Next, click the “import object” icon.

Figure 29

3. A pop-up box will appear, click “Browse” in that and navigate to knowledge packs folder (type

“%et_install_path%\Knowledge Packs” in navigation bar) with the extension “.etko”, e.g. “KO_ Azure

Intune.etko” and then click “Upload”.

18


Figure 30

4. Wait while EventTracker populates all the relevant knowledge objects. Once the objects are displayed,

select the required ones and click “Import”.

Figure 31

4.6 Dashboards 1. Login to EventTracker manager web interface.

2. Navigate to Dashboard → My Dashboard.

3. In “My Dashboard”, Click Import.

Figure 32

19


Figure 33

4. Click Browse and navigate to knowledge pack folder (type “%et_install_path%\Knowledge Packs” in

navigation bar) where “.etwd”, e.g. “Dashboards_ Azure Intune.etwd” is saved and click “Upload”.

5. Wait while EventTracker populates all the available dashboards. Now, choose “Select All” and click

“Import”.

Figure 34

Figure 35

5. Verifying knowledge pack in EventTracker

5.1 Saved Searches 1. Login to EventTracker manager web interface.

2. Click Admin dropdown, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand “Azure Intune” group folder to

view the imported categories.

20


Figure 36

5.2 Alerts 1. In the EventTracker manager web interface, click the Admin dropdown, and then click Alerts.

2. In search box enter “<search criteria> e.g. “Azure Intune” and then click Search.

EventTracker displays an alert related to “Azure Intune”:

Figure 37

21


5.3 Parsing Rules 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Parsing Rule.

2. In the Parsing Rule tab, click on the “Azure Intune” group folder to view the imported Token Values.

Figure 38

5.4 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.

Figure 39

2. In Reports Configuration pane, select the Defined option.

3. Click on the “Azure Intune” group folder to view the imported reports.

22


Figure 40

5.5 Knowledge Objects 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

2. In the Knowledge Object tree, expand the “Azure Intune” group folder to view the imported Knowledge

objects.

Figure 41

23


5.6 Dashboards

1. In the EventTracker web interface, Click on Home Button and select “My Dashboard”.

Figure 42

2. Select “Customize daslets” and type “Azure Intune” in the search bar.

Figure 43

Figure 44

Documents

Integrate Azure Intune to forward logs to EventTracker · 5 Integrate Azure Intune to forward logs to EventTracker In Destination details section, select “stream to an event hub”