Endpoint Manager

To send Microsoft Endpoint Manager events to external services, like Torq, you have to first send the events to an Azure service (Log Analytics, Event Hub, or Azure Storage (blob/datalake), and configure one of those services to send the events to the external service.

This article explains how to use Azure Log Analytics to send Endpoint Manager events to Torq.

Before you start

You'll need the following items set up before you start:

• Azure Log Analytics tenant. If you don't have an existing tenant, follow the Microsoft instructions for creating a workspace.
• Microsoft Endpoint Manager account (Intune)
• Torq workspace

Create a Webhook integration in Torq

The generic webhook defines an endpoint in Torq where the events from Azure Log Analytics will be sent. When configuring which events to send to Torq, you'll enter the webhook URL in Azure Log Analytics.

1. Log in to Torq.
2. Go to Integrations > Triggers.
3. Locate the Generic Webhook integration and click Add.
4. Enter a meaningful name for the integration, such as Log_Analytics_Events.

Send Azure Endpoint Manager events to Azure Analytics Workspace

In Azure Endpoint Manager, you'll add a diagnostic setting that specifies which log types to send to Azure Analytics. You need an active Azure subscription to create a diagnostic setting.

1. Log in to your Azure Endpoint Manager portal.
2. From the left panel, click Tenant Administration > Diagnostic settings > Add diagnostic setting.
3. When prompted, configure the log types you want to send and the Logs Analytics workspace to send them to. For example, to send compliance notifications, select OperationaLogs. For more information about the logs, see the Microsoft documentation.
   1. Audit Logs
   2. Operational Logs
   3. Device Compliance Org
   4. Devices
4. Click Send to Log Analytics Workspace and select the relevant subscription and workspace.

Send Azure Log Analytics events to Torq

After defining which events to send from Endpoint Manager to Log Analytics, you configure Log Analytics to send the event to Torq. You'll define an events query and configure an alert that will run the query and send the results to Torq via a webhook.

1. Log in to your Log Analytics workspace.
2. In the search bar, search for log analytics workspaces and select the service.
3. Enter the log_resource_group, which is where you will send the events. In this example, it's called Logs.
4. Create a query and define an alert for the events you want to send to Torq.
   1. Click General > Logs. A window might appear with predefined queries. You should close that window and continue.
   2. Define the query. For example, to send alerts for non-compliant endpoints, the query would be: IntuneOperationalLogs | where parse_json(Properties).AlertType == "Managed Device Not Compliant".
   3. Click Run. If you need, you can modify the query.
5. In the same window where you created the query, click New alert rule.
6. To configure the Condition, click the link whenever the average custom log search is greater than, and set up the logic. (See below for an example of a condition).
7. Click Done.
8. Create an action by clicking Add action groups > Create action group and enter a meaningful name for the instance and a display name for the instance.
9. Click Actions and under Action Type select Webhook.
10. In the URI field enter the Torq webhook URL.
11. (Optional) Select whether or not to Enable the common alert schema. Either way you'll receive the event, this option will only change the message syntax, it
12. Click OK and after several minutes you will start receiving events in Torq.

Create a Torq workflow and view events

This workflow will ingest, parse, and manage the event from Log Analytics. The workflow will extract the DeviceHostName, UserName, and Description from the event, and send a message to the user of the compliance violation.

The event that arrives from Log Analytics is in JSON format, but it's the result of the previously defined query. In the JSON event, the Log Analytics events are an array in the SearchResult key and the number of events is the value of the ResultCount key. In the example below, our query had 2 results. Each event is an entry in SearchResult.tables.name.rows.

1. In Torq, go to Workflows and click Create Workflow.
2. Click the trigger icon, select Webhook, and then select the webhook you created for Microsoft Endpoint Manager.
3. Add and configure a Loopoperator, which will iterate over every event.
   1. In the IN field, select {{ $.event.SearchResult.Tables.0.rows }}. The values for each event in the loop will be stored in the variables, $.key (the iteration count from the loop, e.g., 1, 2, 3, 4), and $.value (the value inside the .rows record).
4. Within the loop, add the step Add data to context, which will save the defined event data to the workflow context.
   1. In the INPUT section, enter {{ $.value.5 }}. This is where the actual event is located.
5. Add the Slack step Send a message to send a message to the user in violation of compliance.

6.