Microsoft Intune Logs (Beta)

Connecting Microsoft Intune logs to your Panther Console

Overview

Microsoft Intune log ingestion is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Microsoft Intune logs via the Azure Event Hub Data Transport.

How to onboard Microsoft Intune logs to Panther

You'll first create an Azure Event Hub source in Panther, then configure Azure to export logs to that location.

Prerequisites

Before onboarding Microsoft Intune logs to Panther, ensure that:

Step 1: Create a new Microsoft Intune source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Microsoft Intune” then click its tile.

  4. On the slide-out panel, click Start Setup.

    An arrow is drawn from a tile in the background titled "Microsoft Intune" to a Start Setup button.
  5. Follow Panther's instructions for configuring an Azure Event Hub.

Step 2: Export Intune logs to the Event Hub

To export Microsoft Intune logs to an Event Hub, follow the instructions below.

For additional support, see the Microsoft Send Intune log data to Azure Storage, Event Hubs, or Log Analytics documentation.

  1. In your Azure Portal, navigate to the Intune admin center at https://intune.microsoft.com/.

  2. In the navigation bar, click Diagnostics settings.

  3. Click + Add diagnostic setting.

    Under a "Diagnostics settings" title, an arrow is drawn from a "Diagnostics settings" navigation bar item to an "+ Add diagnostic setting" link.
  4. Fill in the fields:

    1. In the Diagnostic setting name field, enter a descriptive name.


    2. Under Destination details, click the Stream to an event hub checkbox.

    3. In the Event hub field, select the Event Hub namespace and Event Hub you onboarded in Step 1.

    4. Under Log, select all log types you would like to ingest in Panther.

  5. Click Save.

Supported log types

MicrosoftIntune.AuditLogs

schema: MicrosoftIntune.AuditLogs
description: Intune audit log events from Microsoft Intune, capturing user and system activity
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneauditlogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the audit log event
    validate:
      allow: ['AuditLogs']
  - name: correlationId
    type: string
    description: Unique identifier used to correlate multiple operations
  - name: identity
    type: string
    indicators:
      - email
    description: Identity of the user or service that performed the operation
  - name: operationName
    type: string
    description: Name of the operation performed
  - name: tenantId
    type: string
    description: The tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Outcome type of the operation (e.g., Success, Failure)
  - name: resultDescription
    type: string
    description: Description of the result or error if the operation failed
  - name: properties
    type: object
    description: Additional metadata about the audit event
    fields:
      - name: ActivityDate
        type: timestamp
        timeFormats:
          - '%m/%d/%Y %I:%M:%S %p'
        description: Date and time when the activity occurred
      - name: ActivityResultStatus
        type: bigint
        description: Status code of the activity result
      - name: ActivityType
        type: bigint
        description: Type of activity performed
      - name: Actor
        type: object
        description: Information about the actor that initiated the action
        fields:
          - name: Application
            type: string
            description: Application ID of the actor
          - name: ApplicationName
            type: string
            description: Name of the application used
          - name: ObjectId
            type: string
            description: Object ID of the actor
          - name: UPN
            type: string
            indicators:
              - email
            description: User principal name of the actor
          - name: ActorType
            type: bigint
            description: Type of actor (user, app, etc.)
          - name: IsDelegatedAdmin
            type: boolean
            description: Whether the actor is a delegated admin
          - name: PartnerTenantId
            type: string
            description: Partner tenant ID if applicable
          - name: UserPermissions
            type: array
            description: List of permissions held by the actor
            element:
              type: string
      - name: AdditionalDetails
        type: string
        description: Additional metadata about the action
      - name: AuditEventId
        type: string
        description: Unique identifier for the audit event
      - name: Category
        type: bigint
        description: Category code of the audit event
      - name: TargetDisplayNames
        type: array
        description: Display names of the targets affected by the action
        element:
          type: string
      - name: TargetObjectIds
        type: array
        description: Object IDs of the targets affected by the action
        element:
          type: string
      - name: Targets
        type: array
        description: Affected targets and their modified properties
        element:
          type: object
          fields:
            - name: Name
              type: string
              description: Name of the affected target
            - name: ModifiedProperties
              type: array
              description: Properties that were modified
              element:
                type: object
                fields:
                  - name: Name
                    type: string
                    description: Name of the property modified
                  - name: Old
                    type: string
                    description: Old value before modification
                  - name: New
                    type: string
                    description: New value after modification
  - name: records
    type: array
    description: Nested records that provide additional details
    element:
      type: object
      fields:
        - name: category
          type: string
          description: Category of the nested event
        - name: correlationId
          type: string
          description: Correlation ID for nested event
        - name: identity
          type: string
          indicators:
            - email
          description: Identity involved in the nested event
        - name: operationName
          type: string
          description: Operation performed in the nested event
        - name: properties
          type: object
          description: Additional data about the nested event
          fields:
            - name: ActivityDate
              type: timestamp
              timeFormats:
                - rfc3339
              description: When the activity occurred
            - name: ActivityResultStatus
              type: bigint
              description: Result status code
            - name: ActivityType
              type: bigint
              description: Type of the activity
            - name: Actor
              type: object
              description: Actor info
              fields:
                - name: Application
                  type: string
                  description: Actor application ID
                - name: ApplicationName
                  type: string
                  description: Actor application name
                - name: ObjectId
                  type: string
                  description: Actor object ID
                - name: UPN
                  type: string
                  indicators:
                    - email
                  description: Actor UPN
                - name: ActorType
                  type: bigint
                  description: Type of actor
                - name: IsDelegatedAdmin
                  type: boolean
                  description: Is the actor a delegated admin
                - name: PartnerTenantId
                  type: string
                  description: Partner tenant ID
                - name: UserPermissions
                  type: array
                  description: Permissions of the actor
                  element:
                    type: string
            - name: AdditionalDetails
              type: string
              description: Additional context
            - name: AuditEventId
              type: string
              description: Audit event ID
            - name: Category
              type: bigint
              description: Numeric category code
            - name: TargetDisplayNames
              type: array
              description: Names of affected targets
              element:
                type: string
            - name: TargetObjectIds
              type: array
              description: IDs of affected targets
              element:
                type: string
            - name: Targets
              type: array
              description: Detailed info about the targets
              element:
                type: object
                fields:
                  - name: Name
                    type: string
                    description: Target name
                  - name: ModifiedProperties
                    type: array
                    description: Modified properties
                    element:
                      type: object
                      fields:
                        - name: Name
                          type: string
                        - name: Old
                          type: string
                        - name: New
                          type: string

MicrosoftIntune.Devices

schema: MicrosoftIntune.Devices
description: Device inventory and status information for Intune enrolled and managed devices
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevices
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the event was received by the service
  - name: category
    required: true
    type: string
    description: The category of the device event
    validate:
      allow: ['Devices']
  - name: operationName
    type: string
    description: Name of the operation associated with the device event
  - name: tenantId
    type: string
    description: The tenant ID where the device event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the device event occurred
  - name: resultType
    type: string
    description: Result of the device operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the device event
    fields:
      - name: Stats
        type: object
        description: Aggregate statistics about the device query
        fields:
          - name: RecordCount
            type: bigint
            description: Number of records returned in the event
      - name: GraphDeviceIsManaged
        type: boolean
        description: Indicates if the device is managed via Microsoft Graph
      - name: AADTenantId
        type: string
        description: Azure Active Directory tenant ID
      - name: AndroidPatchLevel
        type: string
        description: Android patch level of the device
      - name: CategoryName
        type: string
        description: Category name assigned to the device
      - name: CompliantState
        type: string
        description: Compliance state of the device
      - name: CreatedDate
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: Date and time when the device entry was created
      - name: DeviceId
        type: string
        description: Unique identifier of the device
      - name: DeviceName
        type: string
        description: Name of the device
      - name: DeviceRegistrationState
        type: string
        description: Registration state of the device
      - name: DeviceState
        type: string
        description: State of the device
      - name: EasID
        type: string
        description: Exchange ActiveSync ID of the device
      - name: EncryptionStatusString
        type: string
        description: Encryption status of the device
      - name: IMEI
        type: string
        description: International Mobile Equipment Identity of the device
      - name: InGracePeriodUntil
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: End time of the grace period for compliance
      - name: JailBroken
        type: string
        description: Indicates if the device is jailbroken
      - name: JoinType
        type: string
        description: Join type of the device (e.g., Azure AD joined)
      - name: LastContact
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%d %H:%M:%S.%N'
        description: Last time the device contacted Intune
      - name: MEID
        type: string
        description: Mobile Equipment Identifier of the device
      - name: ManagedBy
        type: string
        description: Management authority of the device
      - name: ManagedDeviceName
        type: string
        description: Managed name of the device
      - name: Manufacturer
        type: string
        description: Manufacturer of the device
      - name: Model
        type: string
        description: Model of the device
      - name: OS
        type: string
        description: Operating system of the device
      - name: OSVersion
        type: string
        description: Operating system version of the device
      - name: Ownership
        type: string
        description: Ownership type of the device (e.g., Company, Personal)
      - name: PhoneNumber
        type: string
        description: Phone number associated with the device
      - name: PrimaryUser
        type: string
        description: Primary user of the device
      - name: ReferenceId
        type: string
        description: Reference ID of the device
      - name: SerialNumber
        type: string
        description: Serial number of the device
      - name: SkuFamily
        type: string
        description: SKU family of the device
      - name: StorageFree
        type: bigint
        description: Free storage space on the device in bytes
      - name: StorageTotal
        type: bigint
        description: Total storage capacity of the device in bytes
      - name: SubscriberCarrierNetwork
        type: string
        description: Subscriber carrier network of the device
      - name: SupervisedStatusString
        type: string
        description: Supervised status of the device
      - name: UPN
        type: string
        indicators:
          - email
        description: User Principal Name of the assigned user
      - name: UserEmail
        type: string
        indicators:
          - email
        description: Email address of the assigned user
      - name: UserName
        type: string
        indicators:
          - username
        description: Name of the assigned user
      - name: WifiMacAddress
        type: string
        indicators:
          - mac
        description: Wi-Fi MAC address of the device
      - name: BatchId
        type: string
        description: Identifier for the batch this device record belongs to
      - name: IntuneAccountId
        type: string
        description: Internal account ID used by Intune

MicrosoftIntune.DeviceComplianceOrg

schema: MicrosoftIntune.DeviceComplianceOrg
description: Organization-level device compliance events from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevicecomplianceorg
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the event was received by the service
  - name: category
    required: true
    type: string
    description: The category of the device compliance event
    validate:
      allow: ['DeviceComplianceOrg']
  - name: operationName
    type: string
    description: Name of the operation associated with the compliance event
  - name: tenantId
    type: string
    description: The tenant ID where the compliance event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the compliance event occurred
  - name: resultType
    type: string
    description: Result of the compliance operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the compliance event
    fields:
      - name: Stats
        type: object
        description: Aggregate statistics about the compliance query
        fields:
          - name: RecordCount
            type: bigint
            description: Number of records returned in the event
      - name: AADTenantId
        type: string
        description: Azure AD tenant ID
      - name: BatchId
        type: string
        description: ID representing the batch this device compliance result belongs to
      - name: ComplianceState
        type: string
        description: Compliance state of the device
      - name: ComplianceState_loc
        type: string
        description: Localized description of the compliance state
      - name: DeviceHealthThreatLevel
        type: bigint
        description: Threat level reported by the device
      - name: DeviceHealthThreatLevel_loc
        type: string
        description: Localized description of the device's threat level
      - name: DeviceId
        type: string
        description: Unique identifier of the device
      - name: DeviceName
        type: string
        description: Name of the device
      - name: DeviceType
        type: bigint
        description: Type of the device (e.g., desktop, mobile)
      - name: IMEI
        type: string
        description: IMEI of the device if applicable
      - name: InGracePeriodUntil
        # can't actually parse it as timestamp because it looks like 9999-12-31 23:59:59.0000000 (7 zeros at the end)
        type: string
        description: Timestamp indicating end of grace period for compliance
      - name: LastContact
        # can't actually parse it as timestamp because it looks like 2025-05-07 22:27:19.0000000 (7 zeros at the end)
        type: string
        description: Last time the device contacted Intune
      - name: ManagementAgents
        type: bigint
        description: Agent type used to manage the device
      - name: ManagementAgents_loc
        type: string
        description: Localized management agent name
      - name: OS
        type: string
        description: Operating system name (e.g., Windows, iOS)
      - name: OSDescription
        type: string
        description: Friendly description of the OS
      - name: OSVersion
        type: string
        description: Operating system version
      - name: OS_loc
        type: string
        description: Localized name of the OS
      - name: OwnerType
        type: bigint
        description: Ownership classification of the device (e.g., company, personal)
      - name: OwnerType_loc
        type: string
        description: Localized description of the ownership type
      - name: RetireAfterDatetime
        type: timestamp
        timeFormats:
          - rfc3339
        description: Time when the device is scheduled to be retired
      - name: SerialNumber
        type: string
        description: Serial number of the device
      - name: UPN
        type: string
        indicators:
          - email
        description: User Principal Name of the assigned user
      - name: UserEmail
        type: string
        indicators:
          - email
        description: Email address of the assigned user
      - name: UserId
        type: string
        description: Identifier of the assigned user
      - name: UserName
        type: string
        indicators:
          - username
        description: Name of the assigned user
      - name: IntuneAccountId
        type: string
        description: Internal account ID used by Intune

MicrosoftIntune.OperationalLogs

schema: MicrosoftIntune.OperationalLogs
description: Intune operational logs capturing provisioning, enrollment, and ESP events
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intuneoperationallogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the operational log event
    validate:
      allow: ['OperationalLogs']
  - name: operationName
    type: string
    description: Name of the operation associated with the log
  - name: tenantId
    type: string
    description: Tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Result of the operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the operational event
    fields:
      - name: ESPPolicyId
        type: string
      - name: ESPPolicyName
        type: string
      - name: IsDeviceEspEnabled
        type: boolean
      - name: ZtdDeviceRegisteredTime
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S.%N'
      - name: DeviceEspEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: SlaEventEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: ZtdDeviceSerialNumber
        type: string
      - name: DeviceEspStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: SlaEventStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: EnrollmentEndTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: EnrollmentStartTime
        type: timestamp
        timeFormats:
          - rfc3339
      - name: TimeDiff
        type: int
      - name: Status
        type: string
      - name: DidUserReachDesktop
        type: boolean
      - name: IsUserEspEnabled
        type: boolean
      - name: Stage
        type: string
      - name: TimeoutInMinutes
        type: int
      - name: AadDeviceId
        type: string
      - name: DeviceEspStatus
        type: bigint
      - name: DeviceId
        type: string
      - name: EnrollmentTypeMessage
        type: string
      - name: EspStatus
        type: bigint
      - name: EventId
        type: string
      - name: IsAutopilot
        type: boolean
      - name: IsDuringEsp
        type: bigint
      - name: Scope
        type: string
      - name: StartTime
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S'
      - name: Timestamp
        type: timestamp
        timeFormats:
          - rfc3339
          - '%Y-%m-%dT%H:%M:%S'
      - name: UserEspStatus
        type: bigint
      - name: UserId
        type: string
      - name: Version
        type: string
      - name: EnrollmentTimeUTC
        type: timestamp
        timeFormats:
          - rfc3339
      - name: FailureCategory
        type: string
      - name: FailureReason
        type: string
      - name: MessageId
        type: string
      - name: Os
        type: string
      - name: OsVersion
        type: string
      - name: EnrollmentType
        type: string
      - name: AlertDisplayName
        type: string
      - name: AlertType
        type: string
      - name: Description
        type: string
      - name: DeviceDnsDomain
        type: string
      - name: DeviceHostName
        type: string
      - name: DeviceName
        type: string
      - name: DeviceNetBiosName
        type: string
      - name: DeviceOperatingSystem
        type: string
      - name: StartTimeUtc
        type: timestamp
        timeFormats:
          - rfc3339
      - name: UPNSuffix
        type: string
      - name: UserDisplayName
        type: string
      - name: UserName
        type: string
        indicators:
          - username
      - name: AADTenantId
        type: string
      - name: IntuneAccountId
        type: string
      - name: IntuneDeviceId
        type: string
      - name: IntuneUserId
        type: string
      - name: OperationalLogCategory
        type: string
      - name: ScaleUnit
        type: string
      - name: ScenarioName
        type: string

MicrosoftIntune.Windows365AuditLogs

schema: MicrosoftIntune.Windows365AuditLogs
description: Audit logs for Windows 365 activities from Microsoft Intune
referenceURL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/windows365auditlogs
fields:
  - name: Tenant
    type: string
    description: The tenant ID of the organization
  - name: _TimeReceivedBySvc
    type: timestamp
    timeFormats:
      - rfc3339
    description: The time when the log was received by the service
  - name: category
    required: true
    type: string
    description: The category of the operational log event
    validate:
      allow: ['Windows365AuditLogs']
  - name: operationName
    type: string
    description: Name of the operation associated with the log
  - name: tenantId
    type: string
    description: Tenant ID where the event occurred
  - name: time
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - rfc3339
    description: Time when the operation occurred
  - name: resultType
    type: string
    description: Result of the operation (e.g., Success, Failure)
  - name: properties
    type: object
    description: Additional metadata and context about the operational event
    fields:
      - name: ActivityId
        type: string
        description: The activity ID of the operation
      - name: ApplicationId
        type: string
        description: The caller application ID of the operation
      - name: ApplicationName
        type: string
        description: The application name of the operation
      - name: _BilledSize
        type: float
        description: The record size in bytes
      - name: BuildVersion
        type: string
        description: The build version of the operation
      - name: CallerExtendedProperties
        type: string
        description: Extended properties of the caller
      - name: ComponentName
        type: string
        description: The component name of the operation
      - name: _IsBillable
        type: string
        description: Indicates whether ingestion of this data is billable
      - name: OperationName
        type: string
        description: The name of the operation
      - name: OtherAuditEventProperties
        type: string
        description: Additional audit event details including correlation ID and category
      - name: OtherIdentityProperties
        type: string
        description: Identity details such as permission, display name, and scope tags
      - name: Pid
        type: string
        description: The PID of the operation
      - name: RelatedActivityId
        type: string
        description: The related activity ID
      - name: ResourceExtendedProperties
        type: string
        description: Extended resource details for the operation
      - name: _ResourceId
        type: string
        description: Resource ID associated with the log
      - name: Result
        type: string
        description: The result of the operation
      - name: ScenarioId
        type: string
        description: Scenario ID associated with the log
      - name: ScenarioInstanceId
        type: string
        description: Scenario instance ID for the operation
      - name: ServiceName
        type: string
        description: Name of the service that generated the log
      - name: SessionId
        type: string
        description: Session ID associated with the operation
      - name: SourceSystem
        type: string
        description: The agent type that collected the event (e.g., Azure, OpsManager)
      - name: _SubscriptionId
        type: string
        description: Subscription ID for the record
      - name: TenantId
        type: string
        description: Log Analytics workspace ID (tenant)
      - name: Tid
        type: string
        description: Tenant ID from the event
      - name: TimeGenerated
        type: timestamp
        isEventTime: true
        timeFormats:
          - rfc3339
        description: Time when the report was generated (UTC)
      - name: Type
        type: string
        description: Table name of the event (always Windows365AuditLogs)
      - name: UserId
        type: string
        description: ID of the user associated with the event
      - name: UserPrincipalName
        type: string
        indicators:
          - email
        description: UPN of the user associated with the event

Last updated

Was this helpful?