Microsoft Intune Integrated Into Query to Enrich Federated Search

Microsoft Intune

Utilizing Query’s integration with Microsoft’s GraphAPI, Query’s integration with Microsoft Intune allows analysts to do the following:

• Retrieves user Authentication details (severity, error codes, failure reason, etc) for a device
• Retrieves device information details (Hostname, compliance status, device id, etc) for enterprise devices registered with the Microsoft Intune service
• Retrieves metadata associated with devices registered with the Microsoft Intune service (network interface being utilized, operating system, and users on the device).

For example, the analyst could obtain the following context:

• Searching by the user’s hostname, i.e. hostname equals barbs_computer, the response would contain the user’s hardware information, to include its operating system version, its compliance state to Intune managed standards, an IP address, and even an IMEI if the device is a mobile device.
• Searching by a device’s IP, i.e. IP equals x.x.x.x , the response would provide all the usernames and hostnames that have been associated with that IP address.

To integrate Microsoft Intune, see integration documentation here.

The integration will normalize data pulled from Microsoft Intune, via the GraphAPI,  into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Microsoft Intune data into QDM User and Device objects, and Authentication events. Analysts can see key device attributes like hostname, IMEI, IP Address, compliance state, MAC address, and subnet in the QDM user object. Additional metadata information from Intune, like CPU, Operating System, and OS Version is extracted into the QDM OS object.

With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with. Based upon additional integrations in your environment, Query can show you:

• The user’s IP addresses.
• Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
• Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.