Microsoft Intune Logs (Beta)
Connecting Microsoft Intune logs to your Panther Console
Overview
Panther supports ingesting Microsoft Intune logs via the Azure Event Hub Data Transport.
How to onboard Microsoft Intune logs to Panther
You'll first create an Azure Event Hub source in Panther, then configure Azure to export logs to that location.
Prerequisites
Before onboarding Microsoft Intune logs to Panther, ensure that:
You have an Azure subscription and your user has an Owner or Contributor role.
You have an already created Event Hubs namespace and Event Hub (as specified in the Event Hub Source prerequisites).
Step 1: Create a new Microsoft Intune source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Microsoft Intune” then click its tile.
On the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an Azure Event Hub.
Step 2: Export Intune logs to the Event Hub
To export Microsoft Intune logs to an Event Hub, follow the instructions below.
In your Azure Portal, navigate to the Intune admin center at https://intune.microsoft.com/.
In the navigation bar, click Diagnostics settings.
Click + Add diagnostic setting.
Fill in the fields:
In the Diagnostic setting name field, enter a descriptive name.
Under Destination details, click the Stream to an event hub checkbox.
In the Event hub field, select the Event Hub namespace and Event Hub you onboarded in Step 1.
Under Log, select all log types you would like to ingest in Panther.
Click Save.
Supported log types
MicrosoftIntune.AuditLogs
schema: MicrosoftIntune.AuditLogs
description: Intune audit log events from Microsoft Intune, capturing user and system activity
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneauditlogs
fields:
- name: Tenant
type: string
description: The tenant ID of the organization
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
description: The time when the log was received by the service
- name: category
required: true
type: string
description: The category of the audit log event
validate:
allow: ['AuditLogs']
- name: correlationId
type: string
description: Unique identifier used to correlate multiple operations
- name: identity
type: string
indicators:
- email
description: Identity of the user or service that performed the operation
- name: operationName
type: string
description: Name of the operation performed
- name: tenantId
type: string
description: The tenant ID where the event occurred
- name: time
required: true
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the operation occurred
- name: resultType
type: string
description: Outcome type of the operation (e.g., Success, Failure)
- name: resultDescription
type: string
description: Description of the result or error if the operation failed
- name: properties
type: object
description: Additional metadata about the audit event
fields:
- name: ActivityDate
type: timestamp
timeFormats:
- '%m/%d/%Y %I:%M:%S %p'
description: Date and time when the activity occurred
- name: ActivityResultStatus
type: bigint
description: Status code of the activity result
- name: ActivityType
type: bigint
description: Type of activity performed
- name: Actor
type: object
description: Information about the actor that initiated the action
fields:
- name: Application
type: string
description: Application ID of the actor
- name: ApplicationName
type: string
description: Name of the application used
- name: ObjectId
type: string
description: Object ID of the actor
- name: UPN
type: string
indicators:
- email
description: User principal name of the actor
- name: ActorType
type: bigint
description: Type of actor (user, app, etc.)
- name: IsDelegatedAdmin
type: boolean
description: Whether the actor is a delegated admin
- name: PartnerTenantId
type: string
description: Partner tenant ID if applicable
- name: UserPermissions
type: array
description: List of permissions held by the actor
element:
type: string
- name: AdditionalDetails
type: string
description: Additional metadata about the action
- name: AuditEventId
type: string
description: Unique identifier for the audit event
- name: Category
type: bigint
description: Category code of the audit event
- name: TargetDisplayNames
type: array
description: Display names of the targets affected by the action
element:
type: string
- name: TargetObjectIds
type: array
description: Object IDs of the targets affected by the action
element:
type: string
- name: Targets
type: array
description: Affected targets and their modified properties
element:
type: object
fields:
- name: Name
type: string
description: Name of the affected target
- name: ModifiedProperties
type: array
description: Properties that were modified
element:
type: object
fields:
- name: Name
type: string
description: Name of the property modified
- name: Old
type: string
description: Old value before modification
- name: New
type: string
description: New value after modification
- name: records
type: array
description: Nested records that provide additional details
element:
type: object
fields:
- name: category
type: string
description: Category of the nested event
- name: correlationId
type: string
description: Correlation ID for nested event
- name: identity
type: string
indicators:
- email
description: Identity involved in the nested event
- name: operationName
type: string
description: Operation performed in the nested event
- name: properties
type: object
description: Additional data about the nested event
fields:
- name: ActivityDate
type: timestamp
timeFormats:
- rfc3339
description: When the activity occurred
- name: ActivityResultStatus
type: bigint
description: Result status code
- name: ActivityType
type: bigint
description: Type of the activity
- name: Actor
type: object
description: Actor info
fields:
- name: Application
type: string
description: Actor application ID
- name: ApplicationName
type: string
description: Actor application name
- name: ObjectId
type: string
description: Actor object ID
- name: UPN
type: string
indicators:
- email
description: Actor UPN
- name: ActorType
type: bigint
description: Type of actor
- name: IsDelegatedAdmin
type: boolean
description: Is the actor a delegated admin
- name: PartnerTenantId
type: string
description: Partner tenant ID
- name: UserPermissions
type: array
description: Permissions of the actor
element:
type: string
- name: AdditionalDetails
type: string
description: Additional context
- name: AuditEventId
type: string
description: Audit event ID
- name: Category
type: bigint
description: Numeric category code
- name: TargetDisplayNames
type: array
description: Names of affected targets
element:
type: string
- name: TargetObjectIds
type: array
description: IDs of affected targets
element:
type: string
- name: Targets
type: array
description: Detailed info about the targets
element:
type: object
fields:
- name: Name
type: string
description: Target name
- name: ModifiedProperties
type: array
description: Modified properties
element:
type: object
fields:
- name: Name
type: string
- name: Old
type: string
- name: New
type: stringMicrosoftIntune.Devices
schema: MicrosoftIntune.Devices
description: Device inventory and status information for Intune enrolled and managed devices
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevices
fields:
- name: Tenant
type: string
description: The tenant ID of the organization
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
description: The time when the event was received by the service
- name: category
required: true
type: string
description: The category of the device event
validate:
allow: ['Devices']
- name: operationName
type: string
description: Name of the operation associated with the device event
- name: tenantId
type: string
description: The tenant ID where the device event occurred
- name: time
required: true
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the device event occurred
- name: resultType
type: string
description: Result of the device operation (e.g., Success, Failure)
- name: properties
type: object
description: Additional metadata and context about the device event
fields:
- name: Stats
type: object
description: Aggregate statistics about the device query
fields:
- name: RecordCount
type: bigint
description: Number of records returned in the event
- name: GraphDeviceIsManaged
type: boolean
description: Indicates if the device is managed via Microsoft Graph
- name: AADTenantId
type: string
description: Azure Active Directory tenant ID
- name: AndroidPatchLevel
type: string
description: Android patch level of the device
- name: CategoryName
type: string
description: Category name assigned to the device
- name: CompliantState
type: string
description: Compliance state of the device
- name: CreatedDate
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
description: Date and time when the device entry was created
- name: DeviceId
type: string
description: Unique identifier of the device
- name: DeviceName
type: string
description: Name of the device
- name: DeviceRegistrationState
type: string
description: Registration state of the device
- name: DeviceState
type: string
description: State of the device
- name: EasID
type: string
description: Exchange ActiveSync ID of the device
- name: EncryptionStatusString
type: string
description: Encryption status of the device
- name: IMEI
type: string
description: International Mobile Equipment Identity of the device
- name: InGracePeriodUntil
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
description: End time of the grace period for compliance
- name: JailBroken
type: string
description: Indicates if the device is jailbroken
- name: JoinType
type: string
description: Join type of the device (e.g., Azure AD joined)
- name: LastContact
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
description: Last time the device contacted Intune
- name: MEID
type: string
description: Mobile Equipment Identifier of the device
- name: ManagedBy
type: string
description: Management authority of the device
- name: ManagedDeviceName
type: string
description: Managed name of the device
- name: Manufacturer
type: string
description: Manufacturer of the device
- name: Model
type: string
description: Model of the device
- name: OS
type: string
description: Operating system of the device
- name: OSVersion
type: string
description: Operating system version of the device
- name: Ownership
type: string
description: Ownership type of the device (e.g., Company, Personal)
- name: PhoneNumber
type: string
description: Phone number associated with the device
- name: PrimaryUser
type: string
description: Primary user of the device
- name: ReferenceId
type: string
description: Reference ID of the device
- name: SerialNumber
type: string
description: Serial number of the device
- name: SkuFamily
type: string
description: SKU family of the device
- name: StorageFree
type: bigint
description: Free storage space on the device in bytes
- name: StorageTotal
type: bigint
description: Total storage capacity of the device in bytes
- name: SubscriberCarrierNetwork
type: string
description: Subscriber carrier network of the device
- name: SupervisedStatusString
type: string
description: Supervised status of the device
- name: UPN
type: string
indicators:
- email
description: User Principal Name of the assigned user
- name: UserEmail
type: string
indicators:
- email
description: Email address of the assigned user
- name: UserName
type: string
indicators:
- username
description: Name of the assigned user
- name: WifiMacAddress
type: string
indicators:
- mac
description: Wi-Fi MAC address of the device
- name: BatchId
type: string
description: Identifier for the batch this device record belongs to
- name: IntuneAccountId
type: string
description: Internal account ID used by IntuneMicrosoftIntune.DeviceComplianceOrg
schema: MicrosoftIntune.DeviceComplianceOrg
description: Organization-level device compliance events from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevicecomplianceorg
fields:
- name: Tenant
type: string
description: The tenant ID of the organization
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
description: The time when the event was received by the service
- name: category
required: true
type: string
description: The category of the device compliance event
validate:
allow: ['DeviceComplianceOrg']
- name: operationName
type: string
description: Name of the operation associated with the compliance event
- name: tenantId
type: string
description: The tenant ID where the compliance event occurred
- name: time
required: true
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the compliance event occurred
- name: resultType
type: string
description: Result of the compliance operation (e.g., Success, Failure)
- name: properties
type: object
description: Additional metadata and context about the compliance event
fields:
- name: Stats
type: object
description: Aggregate statistics about the compliance query
fields:
- name: RecordCount
type: bigint
description: Number of records returned in the event
- name: AADTenantId
type: string
description: Azure AD tenant ID
- name: BatchId
type: string
description: ID representing the batch this device compliance result belongs to
- name: ComplianceState
type: string
description: Compliance state of the device
- name: ComplianceState_loc
type: string
description: Localized description of the compliance state
- name: DeviceHealthThreatLevel
type: bigint
description: Threat level reported by the device
- name: DeviceHealthThreatLevel_loc
type: string
description: Localized description of the device's threat level
- name: DeviceId
type: string
description: Unique identifier of the device
- name: DeviceName
type: string
description: Name of the device
- name: DeviceType
type: bigint
description: Type of the device (e.g., desktop, mobile)
- name: IMEI
type: string
description: IMEI of the device if applicable
- name: InGracePeriodUntil
# can't actually parse it as timestamp because it looks like 9999-12-31 23:59:59.0000000 (7 zeros at the end)
type: string
description: Timestamp indicating end of grace period for compliance
- name: LastContact
# can't actually parse it as timestamp because it looks like 2025-05-07 22:27:19.0000000 (7 zeros at the end)
type: string
description: Last time the device contacted Intune
- name: ManagementAgents
type: bigint
description: Agent type used to manage the device
- name: ManagementAgents_loc
type: string
description: Localized management agent name
- name: OS
type: string
description: Operating system name (e.g., Windows, iOS)
- name: OSDescription
type: string
description: Friendly description of the OS
- name: OSVersion
type: string
description: Operating system version
- name: OS_loc
type: string
description: Localized name of the OS
- name: OwnerType
type: bigint
description: Ownership classification of the device (e.g., company, personal)
- name: OwnerType_loc
type: string
description: Localized description of the ownership type
- name: RetireAfterDatetime
type: timestamp
timeFormats:
- rfc3339
description: Time when the device is scheduled to be retired
- name: SerialNumber
type: string
description: Serial number of the device
- name: UPN
type: string
indicators:
- email
description: User Principal Name of the assigned user
- name: UserEmail
type: string
indicators:
- email
description: Email address of the assigned user
- name: UserId
type: string
description: Identifier of the assigned user
- name: UserName
type: string
indicators:
- username
description: Name of the assigned user
- name: IntuneAccountId
type: string
description: Internal account ID used by IntuneMicrosoftIntune.OperationalLogs
schema: MicrosoftIntune.OperationalLogs
description: Intune operational logs capturing provisioning, enrollment, and ESP events
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneoperationallogs
fields:
- name: Tenant
type: string
description: The tenant ID of the organization
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
description: The time when the log was received by the service
- name: category
required: true
type: string
description: The category of the operational log event
validate:
allow: ['OperationalLogs']
- name: operationName
type: string
description: Name of the operation associated with the log
- name: tenantId
type: string
description: Tenant ID where the event occurred
- name: time
required: true
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the operation occurred
- name: resultType
type: string
description: Result of the operation (e.g., Success, Failure)
- name: properties
type: object
description: Additional metadata and context about the operational event
fields:
- name: ESPPolicyId
type: string
- name: ESPPolicyName
type: string
- name: IsDeviceEspEnabled
type: boolean
- name: ZtdDeviceRegisteredTime
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%dT%H:%M:%S.%N'
- name: DeviceEspEndTime
type: timestamp
timeFormats:
- rfc3339
- name: SlaEventEndTime
type: timestamp
timeFormats:
- rfc3339
- name: ZtdDeviceSerialNumber
type: string
- name: DeviceEspStartTime
type: timestamp
timeFormats:
- rfc3339
- name: SlaEventStartTime
type: timestamp
timeFormats:
- rfc3339
- name: EnrollmentEndTime
type: timestamp
timeFormats:
- rfc3339
- name: EnrollmentStartTime
type: timestamp
timeFormats:
- rfc3339
- name: TimeDiff
type: int
- name: Status
type: string
- name: DidUserReachDesktop
type: boolean
- name: IsUserEspEnabled
type: boolean
- name: Stage
type: string
- name: TimeoutInMinutes
type: int
- name: AadDeviceId
type: string
- name: DeviceEspStatus
type: bigint
- name: DeviceId
type: string
- name: EnrollmentTypeMessage
type: string
- name: EspStatus
type: bigint
- name: EventId
type: string
- name: IsAutopilot
type: boolean
- name: IsDuringEsp
type: bigint
- name: Scope
type: string
- name: StartTime
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%dT%H:%M:%S'
- name: Timestamp
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%dT%H:%M:%S'
- name: UserEspStatus
type: bigint
- name: UserId
type: string
- name: Version
type: string
- name: EnrollmentTimeUTC
type: timestamp
timeFormats:
- rfc3339
- name: FailureCategory
type: string
- name: FailureReason
type: string
- name: MessageId
type: string
- name: Os
type: string
- name: OsVersion
type: string
- name: EnrollmentType
type: string
- name: AlertDisplayName
type: string
- name: AlertType
type: string
- name: Description
type: string
- name: DeviceDnsDomain
type: string
- name: DeviceHostName
type: string
- name: DeviceName
type: string
- name: DeviceNetBiosName
type: string
- name: DeviceOperatingSystem
type: string
- name: StartTimeUtc
type: timestamp
timeFormats:
- rfc3339
- name: UPNSuffix
type: string
- name: UserDisplayName
type: string
- name: UserName
type: string
indicators:
- username
- name: AADTenantId
type: string
- name: IntuneAccountId
type: string
- name: IntuneDeviceId
type: string
- name: IntuneUserId
type: string
- name: OperationalLogCategory
type: string
- name: ScaleUnit
type: string
- name: ScenarioName
type: stringMicrosoftIntune.Windows365AuditLogs
schema: MicrosoftIntune.Windows365AuditLogs
description: Audit logs for Windows 365 activities from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/windows365auditlogs
fields:
- name: Tenant
type: string
description: The tenant ID of the organization
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
description: The time when the log was received by the service
- name: category
required: true
type: string
description: The category of the operational log event
validate:
allow: ['Windows365AuditLogs']
- name: operationName
type: string
description: Name of the operation associated with the log
- name: tenantId
type: string
description: Tenant ID where the event occurred
- name: time
required: true
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the operation occurred
- name: resultType
type: string
description: Result of the operation (e.g., Success, Failure)
- name: properties
type: object
description: Additional metadata and context about the operational event
fields:
- name: ActivityId
type: string
description: The activity ID of the operation
- name: ApplicationId
type: string
description: The caller application ID of the operation
- name: ApplicationName
type: string
description: The application name of the operation
- name: _BilledSize
type: float
description: The record size in bytes
- name: BuildVersion
type: string
description: The build version of the operation
- name: CallerExtendedProperties
type: string
description: Extended properties of the caller
- name: ComponentName
type: string
description: The component name of the operation
- name: _IsBillable
type: string
description: Indicates whether ingestion of this data is billable
- name: OperationName
type: string
description: The name of the operation
- name: OtherAuditEventProperties
type: string
description: Additional audit event details including correlation ID and category
- name: OtherIdentityProperties
type: string
description: Identity details such as permission, display name, and scope tags
- name: Pid
type: string
description: The PID of the operation
- name: RelatedActivityId
type: string
description: The related activity ID
- name: ResourceExtendedProperties
type: string
description: Extended resource details for the operation
- name: _ResourceId
type: string
description: Resource ID associated with the log
- name: Result
type: string
description: The result of the operation
- name: ScenarioId
type: string
description: Scenario ID associated with the log
- name: ScenarioInstanceId
type: string
description: Scenario instance ID for the operation
- name: ServiceName
type: string
description: Name of the service that generated the log
- name: SessionId
type: string
description: Session ID associated with the operation
- name: SourceSystem
type: string
description: The agent type that collected the event (e.g., Azure, OpsManager)
- name: _SubscriptionId
type: string
description: Subscription ID for the record
- name: TenantId
type: string
description: Log Analytics workspace ID (tenant)
- name: Tid
type: string
description: Tenant ID from the event
- name: TimeGenerated
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
description: Time when the report was generated (UTC)
- name: Type
type: string
description: Table name of the event (always Windows365AuditLogs)
- name: UserId
type: string
description: ID of the user associated with the event
- name: UserPrincipalName
type: string
indicators:
- email
description: UPN of the user associated with the eventLast updated
Was this helpful?