How to use Log Analytics on Endpoint Manager

Ever since I learned about KQL I’m obsessed about it and what it can do in Azure Log Analytics space and this is my attempt on plugging another service to Log Analytics to experiment with the logs. KQL has proven to be a clever tool when it comes to dig deeper in to Log Analytics. Yep cats out of the bag, Log Analytics is the face behind all things KQL and just like any other Log Analytics scenarios, we have to connect Endpoint Manager with a Log Analytics instance and let the events stream through.

Table of Content

How to Connect Endpoint Manager with a Log Analytics Workspace?

Quite easy though. However first of all you must have an Azure subscription and a Log Analytics workspace created in it. It’s just same as creating a resource in Azure and you provide the parameters and let Azure create the workspace for you. Please refer this article on how to create the Workspace.

So you now have a workspace. Lets see how you can connect your Endpoint Manager now.

Go to Endpoint Manager > Tenant Administration > Diagnostics settings and you will see below.

Click on + Add diagnostic setting and the below blade will come through

Few things to notify here

  • Diagnostic setting name: Give a meaningful name for this configuration
  • Logs: Select what logs you need to stream to the Log Analytics Workspace
  • Destination details: Select Send to Log Analytics workspace
    • Select your Azure Subscription
    • Select the Workspace you created in the previous section

Once all done, press Save

After this stage, your Endpoint Manager logs will start stream to the Log Analytics workspace.

You will now see the Log Analytics instance as below

KQL Time

Again, I’m not going to go through the KQL fundamentals. My goal is to show you what you can query and some use cases of it.

Click on the link in the Log Analytics workspace section as shown in the above figure and it will take you to the workspace instance. Once you are there, go to Logs under General. If you notice the Log Management section, you will see all the KQL tables of the services that you made to stream logs to this workspace instance.

What you need for Endpoint Manager work is below tables

  • IntuneAuditLogs
  • IntuneDeviceComplianceOrg
  • IntuneDevices
  • IntuneOperationalLogs

As you may know you can join these tables with other tables to get more comprehensive analytics results.

Eg1: Identify the “Corporate Owned” Devices that created in May 2022 and assigned user along with the OS details

IntuneDevices
| where CreatedDate contains "2022-05"
| where Ownership == "Corporate"
| project DeviceName, OS, OSVersion, UserName, CreatedDate

My result shows only one device that has been enrolled as a Corporate Owned device.

Eg2: This is simply showing the activities over the Endpoint Manager objects and who has executed them

IntuneAuditLogs
| where OperationName !contains "Assignment"
| parse Properties with * ',"TargetDisplayNames":["' Object '"],' *
| where Object != ""
| project TimeGenerated, Identity, OperationName, Object

Another quick query to identify any assignment changes over the identified Endpoint Manager objects. In here, I have a Device Config Profile called “Domain Join Profile” and I want to see any changes that happened during the last 7 days and who has done the change

IntuneAuditLogs
| where TimeGenerated > ago(7d)
| parse Properties with * '"TargetDisplayNames":["'IntuneProperty'"]' * ',"Targets":[{"ModifiedProperties":[{"' ModifiedProperties '],'*
| where IntuneProperty == "Domain Join Profile"
| project TimeGenerated,Identity, OperationName, IntuneProperty, ModifiedProperties

Eg3: Another good use case can be policy assignment changes. If you need to know the history of the assignment of the assignments, you can simply run below.

IntuneAuditLogs
| where OperationName contains "Assignment"
| parse Properties with * '"TargetDisplayNames":["'IntuneProperty'"' * 'Target.GroupId","' GroupAssignmentChanges '(' *
| where IntuneProperty == "Domain Join Profile"
| parse GroupAssignmentChanges with * 'New":"' NewAssignment
| project TimeGenerated, OperationName, IntuneProperty, Identity, NewAssignment

Add Alerts

Adding alerts on the queries is a good way to keep a close eye on the Endpoint Activities. In this way the Endpoint Admins can receive notifications on any changes in the policies that they have added to the alerts.

I’m planning on writing Adding Alerts in the next article as this article is all about how to get started with the Log Analytics workspace on Endpoint Manager and start get familiar with the KQL tables to query Intune data.

Final Words

These are only few from many queries you can write and run to get details about Endpoint Manager that the standard GUI can’t tell. Keeping up with Log Analytics and KQL is a nice way to enhance your overall Azure knowledge as well and also to go bit deeper to find out about services. Endpoint Manager in this case.

2 thoughts on “How to use Log Analytics on Endpoint Manager

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.