Alert on unauthorized changes in Microsoft Intune via Log Analytics

In my last blog I showed you the new feature that allows you to send all audit events to Log Analytics. It is nice that all events are send to Log Analytics, but if you don’t do anything with it, it is useless. When managing and working with cloud services like Microsoft Intune you want to automate as much as possible. So, for instance if you are using Azure Automation or Azure DevOps to execute changes in Microsoft Intune via PowerShell and the Graph API you are able to alert on changes that are made via the console or with an Intune administrator account that should not be used to change things in Intune.

Let’s have a look at Log Analytics in Azure, when using the new Device Management Portal (https://devicemanagement.microsoft.com) you can find the Log Analytics workspaces blade where you can access an existing workspace or create a new one.

In the Log Analytics Workspace, you can access the logs. In the Logs, you see the LogManagement database where you find the IntuneAuditLogs table were all the audit logs are stored.

So, if you create a query that only selects all events that are not triggered by a change of the automation account you can create an alert. An Alert can be a text message to your phone, a push notification via Azure or just an email to your mailbox or an auditing mailbox. Which is really cool! The alerting is standard functionality of Log Analytics and will cost you $1,50 a month.

So how do we set this up?

If you go in the Azure Portal (via https://devicemanagement.microsoft.com) you need to go to Log Analytics Workspaces and choose the workspace which you used Microsoft Intune to connect to.

In the Log Analytics worksace go to Logs and type the following query

IntuneAuditLogs |

where Identity != “automation@emskings.com” |

where TimeGenerated >= ago(24h)

Next click New alert rule to configure the alert rule, make sure that you have a subscription configured and start configuring the signal logic. Click Whenever the Custom log search is <logic undefined>.

And configure the signal logic, with the signal logic you configure when an alert is being send via mail or text messages and when the evaluation is done.

Next add an action group so that Click Create New  to create a new action group where you can configure the action. One Action Group can consist of one or more action type. In the example in the figure below I configured an email address and a phone number that should be notified when an unauthorized change was executed.

Notification

So, what does an Administrator see when a notification is send by Log Analytics?

Since I enabled that an SMS will be send when an event is logged a message is received from Log Analytics that you are now member of the compliance group.

When an unauthorized change occurs, the following SMS is being received. “Unauthchange:Notification for Alert “Unauthorize change!” raised for “emsfans”

The email however has more information that can be used to assess the alert.

And much more info is in the mail.

Besides this scenario, alerting from and via Log Analytics can be done based on any query you are able to create.

Till next time.

Comments

Total
0
Shares
3 comments
  1. Hello,

    Could this possibly be achieved via Splunk as well? So having this log data forwarded into Splunk, instead of Intune log analytics?

    Thanks.

  2. I am currently looking to use this monitoring and alerting to know when an application is disabled. Is there a query that can be done that will dial into either a application service or a change to the registry?

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Log analytics (SIEM) integration with Intune available.

Next Post

Enterprise Mobility Tips episode #001

Related Posts
Total
0
Share