Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-273868 | MSIN-25-000370 | SV-273868r1101588_rule | Medium |
Description |
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228 |
STIG | Date |
Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide | 2025-05-08 |
Details
Check Text (C-77959r1101586_chk) |
Verify the site has configured Intune to off-load Intune logs to a third-party log management server or to an Azure log storage and monitoring service like Azure monitor. Verification procedures are determined by the method used at the site. Ask the site Intune Administrator how logs are managed by the site and demonstrate that Intune logs are being off-loaded. If site is off-loading Intune logs to the Azure monitor, do the following (refer to https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor): 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. 3. Verify logs are being sent to the Azure monitor: a. A storage account has been configured. b. A Stream has been configured to stream logs to the Azure Event Hubs. c. Intune logs have been configured to be sent to Log Analytics. If the site is not transferring Intune audit logs to a third-party audit log management server or to an Azure audit log storage and monitoring service, this is a finding. |
Fix Text (F-77864r1101587_fix) |
There are many methods for off-loading Intune logs, including downloading to a third-party log management server and sending logs to Azure Storage, Event Hubs, or Log Analytics, which are all part of Diagnostics Settings in Intune. Procedures will vary depending on which log management process is used at the site. If the site is sending logs to Azure Monitor, follow the setup procedures found here: https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. The first time opening it, turn it on. Otherwise, add a setting. If the Azure subscription is not shown, navigate to the top right corner, select the signed in account, and choose "Switch directory". Enter the Azure subscription account, if necessary. 3. Enter the following properties: - Name: Enter a name for the diagnostic settings. This setting includes all the properties entered. For example, enter Route audit logs to storage account. - Archive to a storage account: Saves the log data to an Azure Storage account. To save or archive the data, choose this option, then select "Configure". Choose an existing storage account from the list, then click "OK". - Stream to an event hub: Streams the logs to Azure Event Hubs. To have analytics on log data using SIEM tools such as Splunk and QRadar, choose this option, then select "Configure". Choose an existing Event Hubs namespace and policy from the list, then click "OK". - Send to Log Analytics: Sends the data to Azure Log Analytics. To use visualizations, monitoring and alerting for logs, choose this option, then select "Configure". Create a new workspace and enter the workspace details or choose an existing workspace from the list, then click "OK". - LOG > AuditLogs: Choose this option to send the Intune audit logs to the storage account, Event Hubs, or Log Analytics. The audit logs show the history of every task that generates a change in Intune, including who did it and when. For more information, go to IntuneAuditLogs. Note: If using a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > OperationalLogs: Operational logs show the success or failure of users and devices that enroll in Intune, and details on noncompliant devices. Choose this option to send the enrollment logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneOperationalLogs. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > DeviceComplianceOrg: Device compliance organizational logs show the organizational report for Device Compliance in Intune and details of noncompliant devices. Choose this option to send the compliance logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneDeviceComplianceOrg. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > IntuneDevices: The Intune Device log shows device inventory and status information for Intune enrolled and managed devices. Choose this option to send the IntuneDevices logs to your storage account, Event Hubs, or Log Analytics. For more reference information, go to IntuneDevices. Note: To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". 4. Save the changes. The setting is shown in the list. Once the settings are created, settings can be changed by selecting Edit setting >> Save. |