Introduction

In my last post I talked about Intune automation enlightenment with Azure Logic Apps. This time we will take a look on event based triggering to notify for alerting purposes or run Logic apps or other automation tools.

Components

  • Azure Log Analytics Workspace provides the ability to store Intune audit data and query it with KQL.
  • Azure alert rules enable us to bring in a logic to be triggered on an event.
  • Azure action groups can notify individual recipients thorugh multiple channels or trigger other actions like Automation Runbooks, Azure Functions or Logic Apps etc.

Concept flow

So this is a sample for a concept flow on how to use these features. Please note that this post only introduces the functionality and that there are a lot more use cases that may be more useful.

  1. When an admin performs any action, that will create an Audit event. (Similar to all other events in Intune including data from OperationalLogs, DeviceComplianceOrg and Devices)

  2. The Audit logs will be forwarded to a Log Analytics Workspace

  3. The Alert rule is configured with a condition for custom log searches. This happens on a periodic basis. If the log search matches a custom defined threshold, the alert rule is triggered.

  4. The action group makes a notification or starts other actions.

  5. Optional: an Azure Logic App could take further actions.

    concept-flow.drawio-2.png


Step-by-step instruction

Alert rule

First of all navigate to Azure Monitor>Alerts and click on Create > Alert rule.

create-alert-rule.png

Select a scope -> this should be the resource path to your Log Analytics Workspace.

alert-rule-scope.png
Add a condition > Custom log search. (there are already many predefined for other security related Azure activities)

alert-rule-condition.png

Next insert your custom KQL query that returns you the values or events that you need. I used an example to detect changes on Security baseline profiles.

IntuneAuditLogs
| where OperationName contains "Patch DeviceManagementIntent"

alert-rule-condition-details.png

  • Measurement
    • Measure returned table rows or do a calculation on any numeric column, or simply put, the value
    • Aggregation type is the measurement type (count, average, minimum, maximum)
    • Aggregation granularity is the interval of which time the log results are used/groups (last xy minutes)
  • Optional: Split dimensions allow to monitor for the same condition on multiple Azure resources
  • Alert logic
    • Operator is to compare with the threshold value
    • Threshold value is the reference value
    • Frequency of evaluation chooses how often the alert rule will be run

Then, the action group must be selected or alternatively can be created.

alert-rule-actions.png

Simple action group

The action group creation is also straightforward. Basically it only has the use to define different notification recipients and to select action types that will be triggered.

action-group-basics.png

First up; the notifications, where we can choose if we want to notify the built-in Azure Resource Manager Role or notify own recipients.

action-group-notifications.png

Next, there are a set of action types - but you can also skip this. In the example below, I showcased a Logic App action.

action-group-actions-1.png

Last you need to enter some details and severity level to the alert rule.

alert-rule-details.png

Result: mail notification

This resulted in the following email sent to me. I also customized the description of the alert rule to make it a little more understandable. Unfortunately you can't supply more information.

alert-rule-mail.png


Logic app action trigger

In this example I will add a Logic App action to the action group. You only need to select the Azure subscription and desired Logic App - it will automatically resolve the webhook that will be hit up in the background.

action-group-logic-app.png

Result: webhook data

So if the action group was triggered, the Logic app run shows the webhook data. I think the most important ones are the link to the query, which might be used in further steps. (red lined)

webhook-results.png


Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.