Microsoft Intune Logs (Beta)

Connecting Microsoft Intune logs to your Panther Console

Overview

Microsoft Intune log ingestion is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Microsoft Intune logs via the Azure Event Hub Data Transport.

How to onboard Microsoft Intune logs to Panther

You'll first create an Azure Event Hub source in Panther, then configure Azure to export logs to that location.

Prerequisites

Before onboarding Microsoft Intune logs to Panther, ensure that:

You have an Azure subscription and your user has an Owner or Contributor role. 
You have an already created Event Hubs namespace and Event Hub (as specified in the Event Hub Source prerequisites).

Step 1: Create a new Microsoft Intune source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Microsoft Intune” then click its tile.
On the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an Azure Event Hub.

Step 2: Export Intune logs to the Event Hub

To export Microsoft Intune logs to an Event Hub, follow the instructions below.

For additional support, see the Microsoft Send Intune log data to Azure Storage, Event Hubs, or Log Analytics documentation.

In your Azure Portal, navigate to the Intune admin center at https://intune.microsoft.com/.
In the navigation bar, click Diagnostics settings.
Click + Add diagnostic setting.
Fill in the fields:
1. In the Diagnostic setting name field, enter a descriptive name. 
2. Under Destination details, click the Stream to an event hub checkbox.
3. In the Event hub field, select the Event Hub namespace and Event Hub you onboarded in Step 1.
4. Under Log, select all log types you would like to ingest in Panther.
Click Save.

Supported log types

MicrosoftIntune.AuditLogs

schema: MicrosoftIntune.AuditLogs
description: Intune audit log events from Microsoft Intune, capturing user and system activity
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneauditlogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the audit log event
    validate:
      allow: ['AuditLogs']
  - name: correlationId
    type: string
    description: Unique identifier used to correlate multiple operations
  - name: identity
    type: string
    indicators:
      - email
    description: Identity of the user or service that performed the operation
  - name: operationName
    type: string
    description: Name of the operation performed
  - name: tenantId
    type: string
    description: The tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Outcome type of the operation (e.g., Success, Failure)
  - name: resultDescription
    type: string
    description: Description of the result or error if the operation failed
  - name: properties
    type: object
    description: Additional metadata about the audit event
    fields:
      - name: ActivityDate
        type: timestamp
        timeFormats:
          - '%m/%d/%Y %I:%M:%S %p'
        description: Date and time when the activity occurred
      - name: ActivityResultStatus
        type: bigint
        description: Status code of the activity result
      - name: ActivityType
        type: bigint
        description: Type of activity performed
      - name: Actor
        type: object
        description: Information about the actor that initiated the action
        fields:
          - name: Application
            type: string
            description: Application ID of the actor
          - name: ApplicationName
            type: string
            description: Name of the application used
          - name: ObjectId
            type: string
            description: Object ID of the actor
          - name: UPN
            type: string
            indicators:
              - email
            description: User principal name of the actor
          - name: ActorType
            type: bigint
            description: Type of actor (user, app, etc.)
          - name: IsDelegatedAdmin
            type: boolean
            description: Whether the actor is a delegated admin
          - name: PartnerTenantId
            type: string
            description: Partner tenant ID if applicable
          - name: UserPermissions
            type: array
            description: List of permissions held by the actor
            element:
              type: string
      - name: AdditionalDetails
        type: string
        description: Additional metadata about the action
      - name: AuditEventId
        type: string
        description: Unique identifier for the audit event
      - name: Category
        type: bigint
        description: Category code of the audit event
      - name: TargetDisplayNames
        type: array
        description: Display names of the targets affected by the action
        element:
          type: string
      - name: TargetObjectIds
        type: array
        description: Object IDs of the targets affected by the action
        element:
          type: string
      - name: Targets
        type: array
        description: Affected targets and their modified properties
        element:
          type: object
          fields:
            - name: Name
              type: string
              description: Name of the affected target
            - name: ModifiedProperties
              type: array
              description: Properties that were modified
              element:
                type: object
                fields:
                  - name: Name
                    type: string
                    description: Name of the property modified
                  - name: Old
                    type: string
                    description: Old value before modification
                  - name: New
                    type: string
                    description: New value after modification
  - name: records
    type: array
    description: Nested records that provide additional details
    element:
      type: object
      fields:
        - name: category
          type: string
          description: Category of the nested event
        - name: correlationId
          type: string
          description: Correlation ID for nested event
        - name: identity
          type: string
          indicators:
            - email
          description: Identity involved in the nested event
        - name: operationName
          type: string
          description: Operation performed in the nested event
        - name: properties
          type: object
          description: Additional data about the nested event
          fields:
            - name: ActivityDate
              type: timestamp
              timeFormats:
                - rfc3339
              description: When the activity occurred
            - name: ActivityResultStatus
              type: bigint
              description: Result status code
            - name: ActivityType
              type: bigint
              description: Type of the activity
            - name: Actor
              type: object
              description: Actor info
              fields:
                - name: Application
                  type: string
                  description: Actor application ID
                - name: ApplicationName
                  type: string
                  description: Actor application name
                - name: ObjectId
                  type: string
                  description: Actor object ID
                - name: UPN
                  type: string
                  indicators:
                    - email
                  description: Actor UPN
                - name: ActorType
                  type: bigint
                  description: Type of actor
                - name: IsDelegatedAdmin
                  type: boolean
                  description: Is the actor a delegated admin
                - name: PartnerTenantId
                  type: string
                  description: Partner tenant ID
                - name: UserPermissions
                  type: array
                  description: Permissions of the actor
                  element:
                    type: string
            - name: AdditionalDetails
              type: string
              description: Additional context
            - name: AuditEventId
              type: string
              description: Audit event ID
            - name: Category
              type: bigint
              description: Numeric category code
            - name: TargetDisplayNames
              type: array
              description: Names of affected targets
              element:
                type: string
            - name: TargetObjectIds
              type: array
              description: IDs of affected targets
              element:
                type: string
            - name: Targets
              type: array
              description: Detailed info about the targets
              element:
                type: object
                fields:
                  - name: Name
                    type: string
                    description: Target name
                  - name: ModifiedProperties
                    type: array
                    description: Modified properties
                    element:
                      type: object
                      fields:
                        - name: Name
                          type: string
                        - name: Old
                          type: string
                        - name: New
                          type: string

MicrosoftIntune.Devices

schema: MicrosoftIntune.Devices
description: Device inventory and status information for Intune enrolled and managed devices
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevices
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the event was received by the service
  - name: category
    required: true
    type: string
    description: The category of the device event
    validate:
      allow: ['Devices']
  - name: operationName
    type: string
    description: Name of the operation associated with the device event
  - name: tenantId
    type: string
    description: The tenant ID where the device event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the device event occurred
  - name: resultType
    type: string
    description: Result of the device operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the device event
    fields:
      - name: Stats
        type: object
        description: Aggregate statistics about the device query
        fields:
          - name: RecordCount
            type: bigint
            description: Number of records returned in the event
      - name: GraphDeviceIsManaged
        type: boolean
        description: Indicates if the device is managed via Microsoft Graph
      - name: AADTenantId
        type: string
        description: Azure Active Directory tenant ID
      - name: AndroidPatchLevel
        type: string
        description: Android patch level of the device
      - name: CategoryName
        type: string
        description: Category name assigned to the device
      - name: CompliantState
        type: string
        description: Compliance state of the device
      - name: CreatedDate
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: Date and time when the device entry was created
      - name: DeviceId
        type: string
        description: Unique identifier of the device
      - name: DeviceName
        type: string
        description: Name of the device
      - name: DeviceRegistrationState
        type: string
        description: Registration state of the device
      - name: DeviceState
        type: string
        description: State of the device
      - name: EasID
        type: string
        description: Exchange ActiveSync ID of the device
      - name: EncryptionStatusString
        type: string
        description: Encryption status of the device
      - name: IMEI
        type: string
        description: International Mobile Equipment Identity of the device
      - name: InGracePeriodUntil
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: End time of the grace period for compliance
      - name: JailBroken
        type: string
        description: Indicates if the device is jailbroken
      - name: JoinType
        type: string
        description: Join type of the device (e.g., Azure AD joined)
      - name: LastContact
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: Last time the device contacted Intune
      - name: MEID
        type: string
        description: Mobile Equipment Identifier of the device
      - name: ManagedBy
        type: string
        description: Management authority of the device
      - name: ManagedDeviceName
        type: string
        description: Managed name of the device
      - name: Manufacturer
        type: string
        description: Manufacturer of the device
      - name: Model
        type: string
        description: Model of the device
      - name: OS
        type: string
        description: Operating system of the device
      - name: OSVersion
        type: string
        description: Operating system version of the device
      - name: Ownership
        type: string
        description: Ownership type of the device (e.g., Company, Personal)
      - name: PhoneNumber
        type: string
        description: Phone number associated with the device
      - name: PrimaryUser
        type: string
        description: Primary user of the device
      - name: ReferenceId
        type: string
        description: Reference ID of the device
      - name: SerialNumber
        type: string
        description: Serial number of the device
      - name: SkuFamily
        type: string
        description: SKU family of the device
      - name: StorageFree
        type: bigint
        description: Free storage space on the device in bytes
      - name: StorageTotal
        type: bigint
        description: Total storage capacity of the device in bytes
      - name: SubscriberCarrierNetwork
        type: string
        description: Subscriber carrier network of the device
      - name: SupervisedStatusString
        type: string
        description: Supervised status of the device
      - name: UPN
        type: string
        indicators:
          - email
        description: User Principal Name of the assigned user
      - name: UserEmail
        type: string
        indicators:
          - email
        description: Email address of the assigned user
      - name: UserName
        type: string
        indicators:
          - username
        description: Name of the assigned user
      - name: WifiMacAddress
        type: string
        indicators:
          - mac
        description: Wi-Fi MAC address of the device
      - name: BatchId
        type: string
        description: Identifier for the batch this device record belongs to
      - name: IntuneAccountId
        type: string
        description: Internal account ID used by Intune

MicrosoftIntune.DeviceComplianceOrg

schema: MicrosoftIntune.DeviceComplianceOrg
description: Organization-level device compliance events from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevicecomplianceorg
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the event was received by the service
  - name: category
    required: true
    type: string
    description: The category of the device compliance event
    validate:
      allow: ['DeviceComplianceOrg']
  - name: operationName
    type: string
    description: Name of the operation associated with the compliance event
  - name: tenantId
    type: string
    description: The tenant ID where the compliance event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the compliance event occurred
  - name: resultType
    type: string
    description: Result of the compliance operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the compliance event
    fields:
      - name: Stats
        type: object
        description: Aggregate statistics about the compliance query
        fields:
          - name: RecordCount
            type: bigint
            description: Number of records returned in the event
      - name: AADTenantId
        type: string
        description: Azure AD tenant ID
      - name: BatchId
        type: string
        description: ID representing the batch this device compliance result belongs to
      - name: ComplianceState
        type: string
        description: Compliance state of the device
      - name: ComplianceState_loc
        type: string
        description: Localized description of the compliance state
      - name: DeviceHealthThreatLevel
        type: bigint
        description: Threat level reported by the device
      - name: DeviceHealthThreatLevel_loc
        type: string
        description: Localized description of the device's threat level
      - name: DeviceId
        type: string
        description: Unique identifier of the device
      - name: DeviceName
        type: string
        description: Name of the device
      - name: DeviceType
        type: bigint
        description: Type of the device (e.g., desktop, mobile)
      - name: IMEI
        type: string
        description: IMEI of the device if applicable
      - name: InGracePeriodUntil
        # can't actually parse it as timestamp because it looks like 9999-12-31 23:59:59.0000000 (7 zeros at the end)
        type: string
        description: Timestamp indicating end of grace period for compliance
      - name: LastContact
        # can't actually parse it as timestamp because it looks like 2025-05-07 22:27:19.0000000 (7 zeros at the end)
        type: string
        description: Last time the device contacted Intune
      - name: ManagementAgents
        type: bigint
        description: Agent type used to manage the device
      - name: ManagementAgents_loc
        type: string
        description: Localized management agent name
      - name: OS
        type: string
        description: Operating system name (e.g., Windows, iOS)
      - name: OSDescription
        type: string
        description: Friendly description of the OS
      - name: OSVersion
        type: string
        description: Operating system version
      - name: OS_loc
        type: string
        description: Localized name of the OS
      - name: OwnerType
        type: bigint
        description: Ownership classification of the device (e.g., company, personal)
      - name: OwnerType_loc
        type: string
        description: Localized description of the ownership type
      - name: RetireAfterDatetime
        type: timestamp
        timeFormats:
          - rfc3339
        description: Time when the device is scheduled to be retired
      - name: SerialNumber
        type: string
        description: Serial number of the device
      - name: UPN
        type: string
        indicators:
          - email
        description: User Principal Name of the assigned user
      - name: UserEmail
        type: string
        indicators:
          - email
        description: Email address of the assigned user
      - name: UserId
        type: string
        description: Identifier of the assigned user
      - name: UserName
        type: string
        indicators:
          - username
        description: Name of the assigned user
      - name: IntuneAccountId
        type: string
        description: Internal account ID used by Intune

MicrosoftIntune.OperationalLogs

schema: MicrosoftIntune.OperationalLogs
description: Intune operational logs capturing provisioning, enrollment, and ESP events
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneoperationallogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the operational log event
    validate:
      allow: ['OperationalLogs']
  - name: operationName
    type: string
    description: Name of the operation associated with the log
  - name: tenantId
    type: string
    description: Tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Result of the operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the operational event
    fields:
      - name: ESPPolicyId
        type: string
      - name: ESPPolicyName
        type: string
      - name: IsDeviceEspEnabled
        type: boolean
      - name: ZtdDeviceRegisteredTime
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S.%N'
      - name: DeviceEspEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: SlaEventEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: ZtdDeviceSerialNumber
        type: string
      - name: DeviceEspStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: SlaEventStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: EnrollmentEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: EnrollmentStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: TimeDiff
        type: int
      - name: Status
        type: string
      - name: DidUserReachDesktop
        type: boolean
      - name: IsUserEspEnabled
        type: boolean
      - name: Stage
        type: string
      - name: TimeoutInMinutes
        type: int
      - name: AadDeviceId
        type: string
      - name: DeviceEspStatus
        type: bigint
      - name: DeviceId
        type: string
      - name: EnrollmentTypeMessage
        type: string
      - name: EspStatus
        type: bigint
      - name: EventId
        type: string
      - name: IsAutopilot
        type: boolean
      - name: IsDuringEsp
        type: bigint
      - name: Scope
        type: string
      - name: StartTime
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S'
      - name: Timestamp
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S'
      - name: UserEspStatus
        type: bigint
      - name: UserId
        type: string
      - name: Version
        type: string
      - name: EnrollmentTimeUTC
        type: timestamp
        timeFormats:
          - rfc3339
      - name: FailureCategory
        type: string
      - name: FailureReason
        type: string
      - name: MessageId
        type: string
      - name: Os
        type: string
      - name: OsVersion
        type: string
      - name: EnrollmentType
        type: string
      - name: AlertDisplayName
        type: string
      - name: AlertType
        type: string
      - name: Description
        type: string
      - name: DeviceDnsDomain
        type: string
      - name: DeviceHostName
        type: string
      - name: DeviceName
        type: string
      - name: DeviceNetBiosName
        type: string
      - name: DeviceOperatingSystem
        type: string
      - name: StartTimeUtc
        type: timestamp
        timeFormats:
          - rfc3339
      - name: UPNSuffix
        type: string
      - name: UserDisplayName
        type: string
      - name: UserName
        type: string
        indicators:
          - username
      - name: AADTenantId
        type: string
      - name: IntuneAccountId
        type: string
      - name: IntuneDeviceId
        type: string
      - name: IntuneUserId
        type: string
      - name: OperationalLogCategory
        type: string
      - name: ScaleUnit
        type: string
      - name: ScenarioName
        type: string

MicrosoftIntune.Windows365AuditLogs

schema: MicrosoftIntune.Windows365AuditLogs
description: Audit logs for Windows 365 activities from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/windows365auditlogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the operational log event
    validate:
      allow: ['Windows365AuditLogs']
  - name: operationName
    type: string
    description: Name of the operation associated with the log
  - name: tenantId
    type: string
    description: Tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Result of the operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the operational event
    fields:
      - name: ActivityId
        type: string
        description: The activity ID of the operation
      - name: ApplicationId
        type: string
        description: The caller application ID of the operation
      - name: ApplicationName
        type: string
        description: The application name of the operation
      - name: _BilledSize
        type: float
        description: The record size in bytes
      - name: BuildVersion
        type: string
        description: The build version of the operation
      - name: CallerExtendedProperties
        type: string
        description: Extended properties of the caller
      - name: ComponentName
        type: string
        description: The component name of the operation
      - name: _IsBillable
        type: string
        description: Indicates whether ingestion of this data is billable
      - name: OperationName
        type: string
        description: The name of the operation
      - name: OtherAuditEventProperties
        type: string
        description: Additional audit event details including correlation ID and category
      - name: OtherIdentityProperties
        type: string
        description: Identity details such as permission, display name, and scope tags
      - name: Pid
        type: string
        description: The PID of the operation
      - name: RelatedActivityId
        type: string
        description: The related activity ID
      - name: ResourceExtendedProperties
        type: string
        description: Extended resource details for the operation
      - name: _ResourceId
        type: string
        description: Resource ID associated with the log
      - name: Result
        type: string
        description: The result of the operation
      - name: ScenarioId
        type: string
        description: Scenario ID associated with the log
      - name: ScenarioInstanceId
        type: string
        description: Scenario instance ID for the operation
      - name: ServiceName
        type: string
        description: Name of the service that generated the log
      - name: SessionId
        type: string
        description: Session ID associated with the operation
      - name: SourceSystem
        type: string
        description: The agent type that collected the event (e.g., Azure, OpsManager)
      - name: _SubscriptionId
        type: string
        description: Subscription ID for the record
      - name: TenantId
        type: string
        description: Log Analytics workspace ID (tenant)
      - name: Tid
        type: string
        description: Tenant ID from the event
      - name: TimeGenerated
        type: timestamp
        isEventTime: true
        timeFormats:
          - rfc3339
        description: Time when the report was generated (UTC)
      - name: Type
        type: string
        description: Table name of the event (always Windows365AuditLogs)
      - name: UserId
        type: string
        description: ID of the user associated with the event
      - name: UserPrincipalName
        type: string
        indicators:
          - email
        description: UPN of the user associated with the event

PreviousMicrosoft Graph Logs NextMongoDB Atlas Logs

Last updated 1 month ago

Was this helpful?

schema: MicrosoftIntune.AuditLogs description: Intune audit log events from Microsoft Intune, capturing user and system activity referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneauditlogs fields: - name: Tenant type: string description: The tenant ID of the organization - name: _TimeReceivedBySvc type: timestamp timeFormats: - rfc3339 description: The time when the log was received by the service - name: category required: true type: string description: The category of the audit log event validate: allow: ['AuditLogs'] - name: correlationId type: string description: Unique identifier used to correlate multiple operations - name: identity type: string indicators: - email description: Identity of the user or service that performed the operation - name: operationName type: string description: Name of the operation performed - name: tenantId type: string description: The tenant ID where the event occurred - name: time required: true type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the operation occurred - name: resultType type: string description: Outcome type of the operation (e.g., Success, Failure) - name: resultDescription type: string description: Description of the result or error if the operation failed - name: properties type: object description: Additional metadata about the audit event fields: - name: ActivityDate type: timestamp timeFormats: - '%m/%d/%Y %I:%M:%S %p' description: Date and time when the activity occurred - name: ActivityResultStatus type: bigint description: Status code of the activity result - name: ActivityType type: bigint description: Type of activity performed - name: Actor type: object description: Information about the actor that initiated the action fields: - name: Application type: string description: Application ID of the actor - name: ApplicationName type: string description: Name of the application used - name: ObjectId type: string description: Object ID of the actor - name: UPN type: string indicators: - email description: User principal name of the actor - name: ActorType type: bigint description: Type of actor (user, app, etc.) - name: IsDelegatedAdmin type: boolean description: Whether the actor is a delegated admin - name: PartnerTenantId type: string description: Partner tenant ID if applicable - name: UserPermissions type: array description: List of permissions held by the actor element: type: string - name: AdditionalDetails type: string description: Additional metadata about the action - name: AuditEventId type: string description: Unique identifier for the audit event - name: Category type: bigint description: Category code of the audit event - name: TargetDisplayNames type: array description: Display names of the targets affected by the action element: type: string - name: TargetObjectIds type: array description: Object IDs of the targets affected by the action element: type: string - name: Targets type: array description: Affected targets and their modified properties element: type: object fields: - name: Name type: string description: Name of the affected target - name: ModifiedProperties type: array description: Properties that were modified element: type: object fields: - name: Name type: string description: Name of the property modified - name: Old type: string description: Old value before modification - name: New type: string description: New value after modification - name: records type: array description: Nested records that provide additional details element: type: object fields: - name: category type: string description: Category of the nested event - name: correlationId type: string description: Correlation ID for nested event - name: identity type: string indicators: - email description: Identity involved in the nested event - name: operationName type: string description: Operation performed in the nested event - name: properties type: object description: Additional data about the nested event fields: - name: ActivityDate type: timestamp timeFormats: - rfc3339 description: When the activity occurred - name: ActivityResultStatus type: bigint description: Result status code - name: ActivityType type: bigint description: Type of the activity - name: Actor type: object description: Actor info fields: - name: Application type: string description: Actor application ID - name: ApplicationName type: string description: Actor application name - name: ObjectId type: string description: Actor object ID - name: UPN type: string indicators: - email description: Actor UPN - name: ActorType type: bigint description: Type of actor - name: IsDelegatedAdmin type: boolean description: Is the actor a delegated admin - name: PartnerTenantId type: string description: Partner tenant ID - name: UserPermissions type: array description: Permissions of the actor element: type: string - name: AdditionalDetails type: string description: Additional context - name: AuditEventId type: string description: Audit event ID - name: Category type: bigint description: Numeric category code - name: TargetDisplayNames type: array description: Names of affected targets element: type: string - name: TargetObjectIds type: array description: IDs of affected targets element: type: string - name: Targets type: array description: Detailed info about the targets element: type: object fields: - name: Name type: string description: Target name - name: ModifiedProperties type: array description: Modified properties element: type: object fields: - name: Name type: string - name: Old type: string - name: New type: string

schema: MicrosoftIntune.Devices description: Device inventory and status information for Intune enrolled and managed devices referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevices fields: - name: Tenant type: string description: The tenant ID of the organization - name: _TimeReceivedBySvc type: timestamp timeFormats: - rfc3339 description: The time when the event was received by the service - name: category required: true type: string description: The category of the device event validate: allow: ['Devices'] - name: operationName type: string description: Name of the operation associated with the device event - name: tenantId type: string description: The tenant ID where the device event occurred - name: time required: true type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the device event occurred - name: resultType type: string description: Result of the device operation (e.g., Success, Failure) - name: properties type: object description: Additional metadata and context about the device event fields: - name: Stats type: object description: Aggregate statistics about the device query fields: - name: RecordCount type: bigint description: Number of records returned in the event - name: GraphDeviceIsManaged type: boolean description: Indicates if the device is managed via Microsoft Graph - name: AADTenantId type: string description: Azure Active Directory tenant ID - name: AndroidPatchLevel type: string description: Android patch level of the device - name: CategoryName type: string description: Category name assigned to the device - name: CompliantState type: string description: Compliance state of the device - name: CreatedDate type: timestamp timeFormats: - rfc3339 - '%Y-%m-%d %H:%M:%S.%N' description: Date and time when the device entry was created - name: DeviceId type: string description: Unique identifier of the device - name: DeviceName type: string description: Name of the device - name: DeviceRegistrationState type: string description: Registration state of the device - name: DeviceState type: string description: State of the device - name: EasID type: string description: Exchange ActiveSync ID of the device - name: EncryptionStatusString type: string description: Encryption status of the device - name: IMEI type: string description: International Mobile Equipment Identity of the device - name: InGracePeriodUntil type: timestamp timeFormats: - rfc3339 - '%Y-%m-%d %H:%M:%S.%N' description: End time of the grace period for compliance - name: JailBroken type: string description: Indicates if the device is jailbroken - name: JoinType type: string description: Join type of the device (e.g., Azure AD joined) - name: LastContact type: timestamp timeFormats: - rfc3339 - '%Y-%m-%d %H:%M:%S.%N' description: Last time the device contacted Intune - name: MEID type: string description: Mobile Equipment Identifier of the device - name: ManagedBy type: string description: Management authority of the device - name: ManagedDeviceName type: string description: Managed name of the device - name: Manufacturer type: string description: Manufacturer of the device - name: Model type: string description: Model of the device - name: OS type: string description: Operating system of the device - name: OSVersion type: string description: Operating system version of the device - name: Ownership type: string description: Ownership type of the device (e.g., Company, Personal) - name: PhoneNumber type: string description: Phone number associated with the device - name: PrimaryUser type: string description: Primary user of the device - name: ReferenceId type: string description: Reference ID of the device - name: SerialNumber type: string description: Serial number of the device - name: SkuFamily type: string description: SKU family of the device - name: StorageFree type: bigint description: Free storage space on the device in bytes - name: StorageTotal type: bigint description: Total storage capacity of the device in bytes - name: SubscriberCarrierNetwork type: string description: Subscriber carrier network of the device - name: SupervisedStatusString type: string description: Supervised status of the device - name: UPN type: string indicators: - email description: User Principal Name of the assigned user - name: UserEmail type: string indicators: - email description: Email address of the assigned user - name: UserName type: string indicators: - username description: Name of the assigned user - name: WifiMacAddress type: string indicators: - mac description: Wi-Fi MAC address of the device - name: BatchId type: string description: Identifier for the batch this device record belongs to - name: IntuneAccountId type: string description: Internal account ID used by Intune

schema: MicrosoftIntune.DeviceComplianceOrg description: Organization-level device compliance events from Microsoft Intune referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevicecomplianceorg fields: - name: Tenant type: string description: The tenant ID of the organization - name: _TimeReceivedBySvc type: timestamp timeFormats: - rfc3339 description: The time when the event was received by the service - name: category required: true type: string description: The category of the device compliance event validate: allow: ['DeviceComplianceOrg'] - name: operationName type: string description: Name of the operation associated with the compliance event - name: tenantId type: string description: The tenant ID where the compliance event occurred - name: time required: true type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the compliance event occurred - name: resultType type: string description: Result of the compliance operation (e.g., Success, Failure) - name: properties type: object description: Additional metadata and context about the compliance event fields: - name: Stats type: object description: Aggregate statistics about the compliance query fields: - name: RecordCount type: bigint description: Number of records returned in the event - name: AADTenantId type: string description: Azure AD tenant ID - name: BatchId type: string description: ID representing the batch this device compliance result belongs to - name: ComplianceState type: string description: Compliance state of the device - name: ComplianceState_loc type: string description: Localized description of the compliance state - name: DeviceHealthThreatLevel type: bigint description: Threat level reported by the device - name: DeviceHealthThreatLevel_loc type: string description: Localized description of the device's threat level - name: DeviceId type: string description: Unique identifier of the device - name: DeviceName type: string description: Name of the device - name: DeviceType type: bigint description: Type of the device (e.g., desktop, mobile) - name: IMEI type: string description: IMEI of the device if applicable - name: InGracePeriodUntil # can't actually parse it as timestamp because it looks like 9999-12-31 23:59:59.0000000 (7 zeros at the end) type: string description: Timestamp indicating end of grace period for compliance - name: LastContact # can't actually parse it as timestamp because it looks like 2025-05-07 22:27:19.0000000 (7 zeros at the end) type: string description: Last time the device contacted Intune - name: ManagementAgents type: bigint description: Agent type used to manage the device - name: ManagementAgents_loc type: string description: Localized management agent name - name: OS type: string description: Operating system name (e.g., Windows, iOS) - name: OSDescription type: string description: Friendly description of the OS - name: OSVersion type: string description: Operating system version - name: OS_loc type: string description: Localized name of the OS - name: OwnerType type: bigint description: Ownership classification of the device (e.g., company, personal) - name: OwnerType_loc type: string description: Localized description of the ownership type - name: RetireAfterDatetime type: timestamp timeFormats: - rfc3339 description: Time when the device is scheduled to be retired - name: SerialNumber type: string description: Serial number of the device - name: UPN type: string indicators: - email description: User Principal Name of the assigned user - name: UserEmail type: string indicators: - email description: Email address of the assigned user - name: UserId type: string description: Identifier of the assigned user - name: UserName type: string indicators: - username description: Name of the assigned user - name: IntuneAccountId type: string description: Internal account ID used by Intune

schema: MicrosoftIntune.OperationalLogs description: Intune operational logs capturing provisioning, enrollment, and ESP events referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneoperationallogs fields: - name: Tenant type: string description: The tenant ID of the organization - name: _TimeReceivedBySvc type: timestamp timeFormats: - rfc3339 description: The time when the log was received by the service - name: category required: true type: string description: The category of the operational log event validate: allow: ['OperationalLogs'] - name: operationName type: string description: Name of the operation associated with the log - name: tenantId type: string description: Tenant ID where the event occurred - name: time required: true type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the operation occurred - name: resultType type: string description: Result of the operation (e.g., Success, Failure) - name: properties type: object description: Additional metadata and context about the operational event fields: - name: ESPPolicyId type: string - name: ESPPolicyName type: string - name: IsDeviceEspEnabled type: boolean - name: ZtdDeviceRegisteredTime type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S.%N' - name: DeviceEspEndTime type: timestamp timeFormats: - rfc3339 - name: SlaEventEndTime type: timestamp timeFormats: - rfc3339 - name: ZtdDeviceSerialNumber type: string - name: DeviceEspStartTime type: timestamp timeFormats: - rfc3339 - name: SlaEventStartTime type: timestamp timeFormats: - rfc3339 - name: EnrollmentEndTime type: timestamp timeFormats: - rfc3339 - name: EnrollmentStartTime type: timestamp timeFormats: - rfc3339 - name: TimeDiff type: int - name: Status type: string - name: DidUserReachDesktop type: boolean - name: IsUserEspEnabled type: boolean - name: Stage type: string - name: TimeoutInMinutes type: int - name: AadDeviceId type: string - name: DeviceEspStatus type: bigint - name: DeviceId type: string - name: EnrollmentTypeMessage type: string - name: EspStatus type: bigint - name: EventId type: string - name: IsAutopilot type: boolean - name: IsDuringEsp type: bigint - name: Scope type: string - name: StartTime type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S' - name: Timestamp type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S' - name: UserEspStatus type: bigint - name: UserId type: string - name: Version type: string - name: EnrollmentTimeUTC type: timestamp timeFormats: - rfc3339 - name: FailureCategory type: string - name: FailureReason type: string - name: MessageId type: string - name: Os type: string - name: OsVersion type: string - name: EnrollmentType type: string - name: AlertDisplayName type: string - name: AlertType type: string - name: Description type: string - name: DeviceDnsDomain type: string - name: DeviceHostName type: string - name: DeviceName type: string - name: DeviceNetBiosName type: string - name: DeviceOperatingSystem type: string - name: StartTimeUtc type: timestamp timeFormats: - rfc3339 - name: UPNSuffix type: string - name: UserDisplayName type: string - name: UserName type: string indicators: - username - name: AADTenantId type: string - name: IntuneAccountId type: string - name: IntuneDeviceId type: string - name: IntuneUserId type: string - name: OperationalLogCategory type: string - name: ScaleUnit type: string - name: ScenarioName type: string

schema: MicrosoftIntune.Windows365AuditLogs description: Audit logs for Windows 365 activities from Microsoft Intune referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/windows365auditlogs fields: - name: Tenant type: string description: The tenant ID of the organization - name: _TimeReceivedBySvc type: timestamp timeFormats: - rfc3339 description: The time when the log was received by the service - name: category required: true type: string description: The category of the operational log event validate: allow: ['Windows365AuditLogs'] - name: operationName type: string description: Name of the operation associated with the log - name: tenantId type: string description: Tenant ID where the event occurred - name: time required: true type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the operation occurred - name: resultType type: string description: Result of the operation (e.g., Success, Failure) - name: properties type: object description: Additional metadata and context about the operational event fields: - name: ActivityId type: string description: The activity ID of the operation - name: ApplicationId type: string description: The caller application ID of the operation - name: ApplicationName type: string description: The application name of the operation - name: _BilledSize type: float description: The record size in bytes - name: BuildVersion type: string description: The build version of the operation - name: CallerExtendedProperties type: string description: Extended properties of the caller - name: ComponentName type: string description: The component name of the operation - name: _IsBillable type: string description: Indicates whether ingestion of this data is billable - name: OperationName type: string description: The name of the operation - name: OtherAuditEventProperties type: string description: Additional audit event details including correlation ID and category - name: OtherIdentityProperties type: string description: Identity details such as permission, display name, and scope tags - name: Pid type: string description: The PID of the operation - name: RelatedActivityId type: string description: The related activity ID - name: ResourceExtendedProperties type: string description: Extended resource details for the operation - name: _ResourceId type: string description: Resource ID associated with the log - name: Result type: string description: The result of the operation - name: ScenarioId type: string description: Scenario ID associated with the log - name: ScenarioInstanceId type: string description: Scenario instance ID for the operation - name: ServiceName type: string description: Name of the service that generated the log - name: SessionId type: string description: Session ID associated with the operation - name: SourceSystem type: string description: The agent type that collected the event (e.g., Azure, OpsManager) - name: _SubscriptionId type: string description: Subscription ID for the record - name: TenantId type: string description: Log Analytics workspace ID (tenant) - name: Tid type: string description: Tenant ID from the event - name: TimeGenerated type: timestamp isEventTime: true timeFormats: - rfc3339 description: Time when the report was generated (UTC) - name: Type type: string description: Table name of the event (always Windows365AuditLogs) - name: UserId type: string description: ID of the user associated with the event - name: UserPrincipalName type: string indicators: - email description: UPN of the user associated with the event