-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collecting Intune Device Management data #373
Comments
I can add this to the Azure Connector. Re: backwards incompatible connectors — we did break v1.9.0 AWS Collect with v1.9.1 in a similar situation (documented here), but I think that was a mistake. We've had code that upgrades schemas with whatever is missing (e.g. adding columns that are missing) so I think that sort of auto-migration is a better idea going forward, where possible. That said, there's still a couple of things I want to test and fix about v1.9.2 before release, and if this is just about adding an extra endpoint / table, I think we can nudge the scope a little and that way we don't need to worry about folks having installed it just yet. |
Sounds great, thanks Andrey. In case you want to pick apart the columns, here's an example of a response from that endpoint. For context, the main thing I'd be monitoring is the complianceState field having a value of 'compliant'. Grace periods for the device state are configured in Intune so it should be simple on the SnowAlert side.
|
Yup, got them from docs. Is there an advantage to doing this while iterating over the users, i.e. hitting one of these over the others —
? |
I tend to approach it in a device-oriented way, since I'm considering overall security of the business rather than a particular set of users or apps. At the end of the day, it's devices that are compliant or require remediation. So I feel |
Makes sense — I'm not sure how users are assigned, but it's also possible that there's unassigned devices that would be there and won't be listed if you iterate over every user's device. Don't expect anything in the reverse. I just pushed a commit that adds this, tested against a subscription without Intune enabled, with it enabled but without permissions, and with permissions, but no devices. If you could test it against your account, I would appreciate it. The new table should be —
And the permission grants should look like — ^ in AD Blade > [your auditor app] > API Permissions ^ in App Blade > [your app] > Permissions |
Great, will test it now |
subscription_id is defined twice in subscriptions_locations which is breaking the table creation: |
yikes, ty, good catch. |
Same for kid in vaults_keys: |
thanks. the first one should be |
|
Just re-did a couple of the connections -- sorry for asking to test, that was naively optimistic of me. Should be all better now. |
No trouble, i'll run again with the latest. In the meantime, the tables did get successfully created but got the following upon insert into that new managed_devices table:
query on the Snowflake side (with actual values removed):
The columns in AZURE_COLLECT_MANAGED_DEVICES don't have the underscores. |
Fixed, thanks. |
Here's SQL to reset —
|
The managed devices table columns still don't quite reconcile with the response mappings:
|
Whoops, you have to scroll over. Impressed that it handled my paste from Excel though. |
Got it, thanks for bearing with me. This last push should get it. Do you know where it might get the subscriptionId? I think the other graph requests are tenant-level and don't have it in the query nor the response. |
Oh, I think that might be a bug in the translation table, if that's where you got those. Could you check if the entirety of that column is (edit: removed the |
correct, it's not in the actual response |
Column names align now but there's at least one data type mismatch: I'll check over the others and see if they look right |
I can see how that happened. On the docs page you linked, when the type links off to another object, sometimes that's just an Enum of the possible values, not a complex type. Any that say "Possible values are...." should just be a varchar |
Updated the ones that were enum types to be strings of length a little over the longest listed. Better? |
I just always set them to max in Snowflake, since there's no performance or storage difference. |
We used to, then got feedback that there are some BI tools which inspect the type and allocate memory more efficiently if we set it to something close. Happy to bump them all up to 100 to be future-compatible, or is there another concern? |
Ah yep fair enough, 100 is fine |
About to switch trains to one without internet -- let me know if anything else is off and I'll fix shortly. |
Almost successful, just the very last column needs to go to varchar(100): |
Oops, not sure how I missed that one. Fixed! |
OK, all looking good now. 11 devices imported and all fields populated correctly. Thanks for the fast turnaround on this, helps me a lot. |
Awesome, glad to help, and thanks again for your patience. Even tho we didn't need it for the initial version, I think this piece will be super useful on our end, as well, so thanks for the pointer to the API, as well :-) There's a couple of small fixes and docs and testing left, but I think tomorrow seems a likely landing for the v1.9.2 release. Thanks again for all your help on the other pieces, as well. |
Let me know if anything seems off here, closing in meantime. Thanks again! |
Looking to ingest the Intune data for end user device compliance, which is available at https://graph.microsoft.com/v1.0/deviceManagement/managedDevices, so it's actually just an extension of what's already being collected by azure_collect.py.
Would it be preferable to extend this existing collector, or instead define a new data connector and name it "Azure Intune"? I suspect the latter, since existing SnowAlert users will have been through the connect process only on the current set of tables.
The text was updated successfully, but these errors were encountered: