Microsoft Intune Integration Guide

This guide is for integrating Intune logs to QRadar.

To Integrate Intune logs to Qradar below are the steps:

  • Register Graph API app on Azure AD.
  • Give permissions to the App.
  • Share the app details with SecurityHQ.
  1. Register Graph API app on Azure AD

    Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

  2. Give permissions to the App

    Please apply below permissions to this App (both “Application” and “Delegated “):

    • DeviceManagementManagedDevices.Read.All
    • DeviceManagement.Read.All
    • User.Read
  3. Share the app details with SecurityHQ

    To pull logs, we would require:

    • App ID/ClientID
    • Directory (tenant ID)
    • App Secret

Reference:

  1. https://www.wpninjas.ch/2019/06/intune-integration-into-siem-splunk-or-an-incident-management-system/#:~:text=Intune%20integration%20into%20SIEM%5B%26Splunk%26%5D%20or%20an%20incident%20management,the%20verification%20of%20specific%20settings%20on%20a%20device
  2. https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-reports
  3. https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-repor