Microsoft Intune Compliance & Device Logs

Cloud & SaaSSystem ConfigurationCloud Control PlaneSIEM / Log Aggregator

Location

Microsoft Intune Admin Center > Devices > Monitor (or Microsoft Graph API /deviceManagement)

Description

Intune device management logs capturing device compliance state, configuration profile deployment results, app installation status, device enrollment events, remote action execution (wipe, lock, retire), and discovered application inventory.

Forensic Value

Intune logs reveal the security posture of endpoints during a breach. Non-compliant device status indicates missing patches, disabled encryption, or outdated antivirus that enabled the compromise. Device enrollment events from unexpected locations suggest attacker device registration. Remote wipe and lock action logs document containment actions taken during incident response. Application inventory identifies which apps were installed on compromised devices without requiring direct endpoint access.

Tools Required

Microsoft Intune Admin CenterMicrosoft Graph APIPowerShell (Microsoft.Graph.Intune)SIEM (Sentinel)

Collection Commands

Graph API

GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,userPrincipalName,complianceState,lastSyncDateTime,osVersion

Graph API

GET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$top=999&$select=displayName,version,deviceCount

PowerShell

Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" -Property DeviceName,UserPrincipalName,ComplianceState,LastSyncDateTime | Export-Csv noncompliant_devices.csv -NoTypeInformation

MITRE ATT&CK Techniques

T1562.001T1098T1078.004T1484

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical