Azure MDM Intune Context¶
About¶
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across many devices, including mobile devices, desktop computers, and virtual endpoints.
Product Details¶
Vendor URL: Microsoft Azure
Product Type: Device management
Product Tier: Tier III
Integration Method: API
Integration URL: Azure - Cyderes Documentation
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: AZURE_MDM_INTUNE_CONTEXT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| complianceState | additional.fields |
| jailbroken | additional.fields |
| "AZURE MDM INTUNE CONTEXT" | metadata.product_name |
| "Microsoft" | metadata.vendor_name |
| "DEVICE" | target.resource.resource_type |
| "MICROSOFT_AZURE" | target.cloud.environment |
| id | metadata.product_log_id |
| deviceEnrollmentType | metadata.product_event_type |
| @odata.type | metadata.product_event_type |
| version | metadata.product_version |
| deviceRegistrationState | metadata.description |
| displayName | metadata.description |
| deviceName | observer.hostname |
| deviceName | principal.hostname |
| userId | principal.user.userid |
| userDisplayName | principal.user.user_display_name |
| userPrincipalName | principal.user.email_addresses |
| wiFiMacAddress | principal.mac |
| azureADDeviceId | target.asset.product_object_id |
| serialNumber | target.asset.hardware.serial_number |
| model | target.asset.hardware.model |
| manufacturer | target.asset.hardware.manufacturer |
| osVersion | target.asset.platform_software.platform_version |
| managedDeviceOwnerType | target.asset.category |
| operatingSystem | target.platform |
| description | security_result.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | GENERIC_EVENT |
Log Sample¶
{"deviceRegistrationState":"registered","wiFiMacAddress":"FFFFFFFFFFFF","managedDeviceName":"28d1b7db-8571-4384-a055-d1bdc530dc70_Windows_11/10/2022_12:07 AM","physicalMemoryInBytes":0,"activationLockBypassCode":null,"freeStorageSpaceInBytes":368306028544,"requireUserEnrollmentApproval":null,"complianceGracePeriodExpirationDateTime":"9999-12-31T23:59:59Z","azureADRegistered":true,"exchangeAccessStateReason":"none","serialNumber":"serialNumber","id":"idNumber","osVersion":"10.0.19042.2251","userDisplayName":"userName","userId":"userId","remoteAssistanceSessionUrl":null,"isEncrypted":true,"imei":"","deviceActionResults":[],"operatingSystem":"Windows","managementAgent":"configurationManagerClientMdm","easActivationDateTime":"0001-01-01T00:00:00Z","exchangeLastSuccessfulSyncDateTime":"0001-01-01T00:00:00Z","partnerReportedThreatState":"unknown","complianceState":"compliant","azureADDeviceId":"azureADDeviceIDNumber","totalStorageSpaceInBytes":510860984320,"notes":null,"deviceName":"hostname","phoneNumber":"","emailAddress":"","configurationManagerClientEnabledFeatures":{"inventory":true,"modernApps":true,"resourceAccess":true,"deviceConfiguration":true,"compliancePolicy":true,"windowsUpdateForBusiness":false},"enrolledDateTime":"2022-11-10T00:07:43Z","subscriberCarrier":"","meid":"","udid":null,"easDeviceId":"D6A03AC5D1A71674152B1022EE059931","userPrincipalName":"email@email.com","iccid":null,"deviceEnrollmentType":"windowsCoManagement","remoteAssistanceSessionErrorDetails":null,"deviceHealthAttestationState":null,"lastSyncDateTime":"2022-12-02T03:24:11Z","jailBroken":"Unknown","model":"HP ProBook 440 G8 Notebook PC","androidSecurityPatchLevel":"","ethernetMacAddress":null,"isSupervised":false,"managementCertificateExpirationDate":"2023-11-07T01:45:39Z","deviceCategoryDisplayName":"Unknown","easActivated":true,"exchangeAccessState":"none","manufacturer":"HP","managedDeviceOwnerType":"company"}
Sample Parsing¶
metadata.product_log_id: "idNumber"
metadata.event_timestamp.seconds: 1669951451
metadata.event_type: "GENERIC_EVENT"
metadata.vendor_name: "Microsoft"
metadata.product_name: "Azure MDM Intune Context"
metadata.product_event_type: "windowsCoManagement"
metadata.description: "registered"
additional.fields.key: "complianceState"
additional.fields.value: "compliant"
additional.fields.key: "jailbroken"
additional.fields.value: "Unknown"
principal.hostname: "hostname"
principal.user.userid: "userId"
principal.user.user_display_name: "userName"
principal.user.email_addresses: "email@email.com"
principal.mac: "FF:FF:FF:FF:FF:FF"
target.asset.product_object_id: "azureADDeviceIDNumber"
target.asset.hardware.serial_number: "serialNumber"
target.asset.hardware.model: "HP ProBook 440 G8 Notebook PC"
target.asset.hardware.manufacturer: "HP"
target.asset.platform_software.platform_version: "10.0.19042.2251"
target.asset.category: "company"
target.platform: "WINDOWS"
target.cloud.environment: "MICROSOFT_AZURE"
target.resource.resource_type: "DEVICE"
observer.hostname: "hostname"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.
Rules¶
Coming Soon