Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-267334 | MSIN-24-000370 | SV-267334r1025801_rule | Medium |
| Description |
| Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b, FMT_SMF.1.1(2) c.8 Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228 |
| STIG | Date |
| Microsoft Intune Service Desktop Security Technical Implementation Guide | 2024-10-04 |
Details
| Check Text (C-71258r1025475_chk) |
| Verify the site is scheduling audit log backups at least every seven days. Since, at this time, offloading Intune audit logs is a manual process, verify the site is periodically (at least every seven days) offloading Intune logs. If Microsoft Intune is not set to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days, this is a finding. |
| Fix Text (F-71161r1025800_fix) |
| Configure the Microsoft Intune server to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days. Intune audit logs can be sent to many locations, including Azure Monitor services or a third-party audit management server. If sending Intune audit logs to the Azure monitor, follow the setup instructions listed here: https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor. To manually offload audit logs to an audit log management server, follow these instructions: 1. Log in to the console. 2. Select "Tenant Administration". 3. Select "Audit Logs". 4. Select "Export". This exports a .csv file with audit data. Other methods can be used to archive the .csv files. |