Skip to main content

Microsoft Intune

Microsoft Intune is a family of endpoint management solutions that enable you to protect and administer all your endpoints from a single place.

Microsoft Intune

This pack includes Cortex XSIAM content.

Note: The logs will be stored in the dataset named msft_azure_raw.
To filter a query to focus only on Microsoft Intune logs, use the following filters:

  • In XQL queries, use: |filter _collector_name=
  • In Datamodel queries, use: |xdm.observer.name=

Collect Events from Vendor

In order to use the collector, you need to use the following option:

To collect logs from Microsoft Intune, use the information described here to configure log streaming from Microsoft Intune to Azure Event Hub.

  • Pay attention: Timestamp parsing is available for the default UTC (+0000) format for Microsoft Intune.

Azure Event Hub Integration

To create or configure the Azure Event Hub collector (to collect the logs you sent to Azure Event Hub), use the information described here.

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedMarch 14, 2023
Last ReleaseJuly 25, 2023
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.