MS Intune Integration Guide

To Integrate Intune logs to QRadar, follow the steps below: 

  • Register Graph API app on Azure AD. 
  • Give permissions to the App. 
  • Share the app details with SecurityHQ. 
  1. Register Graph API app on Azure AD. 

Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app 

 

  1. Give permissions to the App. 

Please apply below permissions to this App (both “Application” and “Delegated “): 

  • DeviceManagementManagedDevices.Read.All 
  • DeviceManagementApps.Read.All 
  • User.Read 
  1. Share the app details with SHQ. 

To pull logs, we would require: 

  • App ID/ClientID 
  • Directory (tenant ID) 
  • App Secret

Reference:  

  1. https://www.wpninjas.ch/2019/06/intune-integration-into-siem-splunk-or-an-incident-management-system/#:~:text=Intune%20integration%20into%20SIEM%5B%26Splunk%26%5D%20or%20an%20incident%20management,the%20verification%20of%20specific%20settings%20on%20a%20device 
  1. https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-reports 
  1. https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-repor