{ "name": "microsoft_intune", "title": "Microsoft Intune", "version": "0.1.0", "release": "beta", "description": "Collect logs from Microsoft Intune with Elastic Agent.", "type": "integration", "download": "/epr/microsoft_intune/microsoft_intune-0.1.0.zip", "path": "/package/microsoft_intune/0.1.0", "icons": [ { "src": "/img/microsoft-intune-logo.svg", "path": "/package/microsoft_intune/0.1.0/img/microsoft-intune-logo.svg", "title": "Microsoft Intune logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "azure" ], "signature_path": "/epr/microsoft_intune/microsoft_intune-0.1.0.zip.sig", "format_version": "3.5.4", "readme": "/package/microsoft_intune/0.1.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/microsoft-intune-managed-device-dashboard.png", "path": "/package/microsoft_intune/0.1.0/img/microsoft-intune-managed-device-dashboard.png", "title": "Managed Device Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/microsoft-intune-audit-dashboard.png", "path": "/package/microsoft_intune/0.1.0/img/microsoft-intune-audit-dashboard.png", "title": "Audit Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/microsoft_intune/0.1.0/LICENSE.txt", "/package/microsoft_intune/0.1.0/changelog.yml", "/package/microsoft_intune/0.1.0/manifest.yml", "/package/microsoft_intune/0.1.0/validation.yml", "/package/microsoft_intune/0.1.0/docs/README.md", "/package/microsoft_intune/0.1.0/img/microsoft-intune-audit-dashboard.png", "/package/microsoft_intune/0.1.0/img/microsoft-intune-logo.svg", "/package/microsoft_intune/0.1.0/img/microsoft-intune-managed-device-dashboard.png", "/package/microsoft_intune/0.1.0/data_stream/audit/manifest.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/manifest.yml", "/package/microsoft_intune/0.1.0/kibana/dashboard/microsoft_intune-adaf931d-1be6-4394-a046-35e1d1010f9e.json", "/package/microsoft_intune/0.1.0/kibana/dashboard/microsoft_intune-e39a0b69-4312-43b3-ae1f-3f0f4bf47bcd.json", "/package/microsoft_intune/0.1.0/data_stream/audit/fields/base-fields.yml", "/package/microsoft_intune/0.1.0/data_stream/audit/fields/beats.yml", "/package/microsoft_intune/0.1.0/data_stream/audit/fields/ecs.yml", "/package/microsoft_intune/0.1.0/data_stream/audit/fields/fields.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/fields/base-fields.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/fields/beats.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/fields/ecs.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/fields/fields.yml", "/package/microsoft_intune/0.1.0/data_stream/audit/agent/stream/azure_eventhub.yml.hbs", "/package/microsoft_intune/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_intune/0.1.0/data_stream/managed_device/agent/stream/azure_eventhub.yml.hbs", "/package/microsoft_intune/0.1.0/data_stream/managed_device/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "microsoft_intune", "title": "Microsoft Intune Logs", "description": "Collect logs from Microsoft Intune.", "inputs": [ { "type": "azure-eventhub", "title": "Collect Microsoft Intune events via Azure Event Hub", "description": "Collect Microsoft Intune events via Azure Event Hub." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_intune.audit", "title": "Audit", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Azure Event Hub", "description": "The name of the eventhub users would like to read from. Elastic recommends using one Azure Event Hub for each integration. Visit [Create an Azure Event Hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use Azure Event Hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "The storage account container where checkpoint data for the consumer group is stored. We recommend using a dedicated consumer group for the Azure Event Hub input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "The connection string required to communicate with Azure Event Hubs. See [Get an Azure Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "The storage account key will be used to authorise access to data in your storage account.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You must use a dedicated storage account container for each Azure log type. Do not reuse the same container name for more than one Azure log type. See [Container Names] (Naming and Referencing Containers, Blobs, and Metadata - Azure Storage) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "The base URL of the Azure Resource Manager API for your Azure cloud. By default, we are using the Azure public environment. To override this, users can provide a specific resource manager endpoint in order to use a different Azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_intune-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserve a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_intune.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure_eventhub.yml.hbs", "title": "logs via Azure Event Hub", "description": "Collect logs via Azure Event Hub.", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "microsoft_intune", "path": "audit" }, { "type": "logs", "dataset": "microsoft_intune.managed_device", "title": "Managed Device", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Azure Event Hub", "description": "The name of the eventhub users would like to read from. Elastic recommends using one Azure Event Hub for each integration. Visit [Create an Azure Event Hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use Azure Event Hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "The storage account container where checkpoint data for the consumer group is stored. We recommend using a dedicated consumer group for the Azure Event Hub input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "The connection string required to communicate with Azure Event Hubs. See [Get an Azure Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "The storage account key will be used to authorise access to data in your storage account.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You must use a dedicated storage account container for each Azure log type. Do not reuse the same container name for more than one Azure log type. See [Container Names] (Naming and Referencing Containers, Blobs, and Metadata - Azure Storage) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "The base URL of the Azure Resource Manager API for your Azure cloud. By default, we are using the Azure public environment. To override this, users can provide a specific resource manager endpoint in order to use a different Azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_intune-managed_device" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserve a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_intune.managed_device fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure_eventhub.yml.hbs", "title": "logs via Azure Event Hub", "description": "Collect logs via Azure Event Hub.", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "microsoft_intune", "path": "managed_device" } ] }