[microsoft_intune][managed_device] Add microsoft_intune managed_device datastream#17688
Closed
janvi-elastic wants to merge 132 commits intoelastic:feature/microsoft_intune-0.1.0from
Closed
Conversation
andrewkroh
added
Crest
|
Hi @janvi-elastic, Any reason why not putting Microsoft Intune in Azure integration package and configure router to capture Intune data ? |
cpascale43
reviewed
Mar 17, 2026
Contributor
There was a problem hiding this comment.
This looks pretty useful overall, a couple thoughts @janvi-elastic:
- Default timeframe is "Last 15 years" - set to 90 days and update screenshot
- Managed Devices stat tile: Without a comparison a single number doesn't tell a security team much. I think we could replace the "Devices by Compliance State" chart with two metric tiles up top (Compliant vs. Non-Compliant) since this is the core question the dashboard is trying to answer and it's scannable at a glance.
There are also some interesting fields from the sample events that we should consider surfacing more prominently:
EncryptionStatusString- One of the 3 devices has encryption set to False - this feels like it should be prominently visualized, either as a metric tile or alongside the compliance state breakdown, as it's a core device posture signalJailBroken- in a production environment with mobile devices this would matter, it's worth surfacingLastContact- the Inventory Details table shows this but it's only visible at the bottom. It would be nice to have some callout for devices that haven't contacted Intune in X days, as stale devices are a common blind spot
Contributor
Author
There was a problem hiding this comment.
@cpascale43 Regarding Devices by Compliance State, In live logs we are getting Compliant, Noncompliant and Not Evaluated. And in documentation we don't have list of Possible values. So should we remove pie chart and replace it with metrics(Compliant vs Noncompliant) ?
Contributor
There was a problem hiding this comment.
Thanks @janvi-elastic, given that there are at least three possible values in live data and the docs don't list all of them, we can keep it as is. Thanks for flagging!
janvi-elastic
changed the base branch from
main
to
feature/microsoft_intune-0.1.0
* Fix broken link * Update manifest and changelog * Run elastic package build * Remove html at the end of URL * Remove one more html
Fix the m365_defender system benchmark setup and update the HTTP mock to align with the current agent OAuth behavior. Extend the alert benchmark HTTP mock by adding a POST endpoint for the refresh_token grant that returns a new access_token, ensuring long-running and token renewal flows are exercised without relying on real AD.
…integrations (elastic#17045) In these integrations' documentation and manifest titles and descriptions, rename "Trend Micro" to "TrendAI", as this is the new product name for the services these connect with. Also, update the integration logo to the new product logo.
…lastic#17413) Box Events sends either null or an email to box.source.login when using the admin_logs_streaming setting. Setting this field to a boolean causes data set quality issues and fields to become ignored. Changing this to a keyword should resolve issues with data set quality.
…ic#18022) Made with ❤️️ by updatecli Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7...v8) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ic#17879) * [ci] Add blocking PR check for package docs using docs-builder Adds a new workflow that validates changed packages/**/docs/*.md files on every PR using the elastic/docs-builder action (metadata-only + strict mode), catching Elastic-specific syntax issues before they reach EPR/downstream. _dev/build/ template files are excluded since they contain {{ fields }} syntax that is not valid docs-builder input. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [ci] Exclude knowledge_base and subdirs from package docs check Narrows the path trigger from packages/**/docs/** to packages/**/docs/*.md and tightens the grep filter to [^/]*.md$ so only top-level docs files are validated, excluding knowledge_base/ and other subdirectories. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [ci] Support nested package paths in docs validation trigger Replace packages/**/docs/*.md with explicit single- and two-level patterns so the workflow also triggers for nested packages like packages/nginx/nginx/docs/README.md (see elastic#17403). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* [test] Validate package docs with isolated docs-builder run - Run docs-builder in an isolated .validate/ directory (with git init) so it never discovers docs/docset.yml or scans repo-wide .md files - Lowercase filenames before validation (docs-builder requirement) - Include cross_links (beats, docs-content, ecs, elasticsearch, integrations) in generated docset to resolve cross-repo references - Add test edits to 1password, nginx, aws package docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [ci] Drop --strict, add test doc edits Package docs have content-level warnings (missing titles, code block annotations) that are not actual errors but would fail with --strict. Use non-strict mode to catch real errors only. Also adds test edits to 1password, nginx, aws docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [ci] Remove test doc edits, exclude deleted files from diff - Revert test edits to 1password, nginx, aws docs - Add --diff-filter=d to git diff to skip deleted files, which would break the cp step in CI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [ci] Copy img/ dirs and allow errors until baseline is clean - Copy each package's img/ directory into .validate/ so image references resolve (drops 84 → ~10 remaining image errors) - Mount at /workspace instead of /app to avoid overwriting the docs-builder binary in the container - Add continue-on-error: true so existing doc issues don't block PRs until a follow-up PR fixes the ~44 pre-existing errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [ci] Fix script injection: use env var for github.base_ref Avoid interpolating github.base_ref directly into the shell command, which is attacker-controlled (PR target branch name). Pass it as an env var instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Lowercase Vidyard thumbnail URLs in package docs docs-builder rejects image filenames with uppercase characters. Lowercase the play.vidyard.com thumbnail URLs so the filenames integration-docs downloads are valid. Affects: crowdstrike, m365_defender, microsoft_defender_endpoint, sentinel_one Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Bump versions and add changelog entries Run elastic-package changelog add + build for each affected package: - crowdstrike 3.12.0 → 3.12.1 - m365_defender 5.12.0 → 5.12.1 - microsoft_defender_endpoint 4.5.0 → 4.5.1 - sentinel_one 2.5.0 → 2.5.1 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix changelog type: enhancement → bugfix Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
) * [ci] Remove continue-on-error, add failure notification workflow - Remove continue-on-error from validate-package-docs so it properly blocks PRs with doc issues - Add a separate workflow_run-triggered workflow that posts a comment mentioning @elastic/ingest-docs when validation fails - The notification workflow uses workflow_run (runs in base branch context) so it can safely have pull-requests: write without exposing secrets to fork PRs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [ci] Keep continue-on-error, notify via artifact signal The validation step stays non-blocking (continue-on-error: true) but uploads a "docs-validation-failed" artifact when docs-builder exits non-zero. The notification workflow downloads this artifact — if it exists, it posts a PR comment mentioning @elastic/ingest-docs. This avoids false blocking on unknown edge cases while still surfacing doc issues to the right team. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address review: env vars for injection safety, --body-file for comment - Use env var for github.event.pull_request.number instead of inline interpolation in shell (validate-package-docs.yml) - Use env var for github.repository instead of inline interpolation in shell (notify-package-docs-failure.yml) - Use --body-file instead of --body for multi-line comment to avoid shell quoting issues Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Replace ingest-docs with integration-docs, add #docs channel reference Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
integration-docs uses docs-builder with --strict (the default in preview-build.yml), so warnings like unknown code block languages become errors there. Match that behavior here so issues are caught before they reach integration-docs. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…s and increase min Kibana version (elastic#18046) * v1: Add back esql based dashboards and increase min Kibana version * Update changelog.yml
…cts (elastic#18052) The artifact-based approach doesn't work because upload-artifact@v4 scopes artifacts to the workflow run, making them inaccessible from a workflow_run-triggered workflow via download-artifact. Instead, query the Jobs API to check if the "Validate with docs-builder" step concluded as failure (despite the job succeeding via continue-on-error), and find the PR number from the head SHA. Also removes the now-unnecessary signal/upload steps from the validation workflow. Handles jq returning literal "null" for commits without a PR. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…18055) In PanOS wildfire CEF events, the request extension key contains a filename rather than a URL. The decode_cef processor maps the raw CEF request key to cef.extensions.requestUrl per the CEF spec, and the pipeline unconditionally mapped that to url.full. This caused filenames like "somefile.txt" to appear in url.full/url.original while file.name was never populated. Add a conditional so that for THREAT events with Name "wildfire" or "wildfire-virus", requestUrl is routed to file.name and threat.indicator.file.name instead of the url fields. Add a wildfire CEF system test event to verify the end-to-end decode_cef behavior through the Elastic Agent.
Fix error checks in ReportFailedTests comparing err to nil instead of itself. Fix minor wording in error messages for gomod and codeowners.
Add a new dev/packagenames Go package that validates no two packages share the same name field across the packages/ directory. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…lastic#18245) PR elastic#15432 (v1.17.0) added source_lag_time with a guard condition to clamp start_time when the cursor is ahead of now - source_lag_time. Two bugs in the implementation cause 400 Bad Request errors from the JumpCloud API: 1. parseDate uses the default RFC3339 layout, which cannot parse JumpCloud's fractional-second timestamps (e.g. 2023-01-14T08:16:06.495Z). When parsing fails, parseDate silently returns zero time, disabling the guard condition entirely. 2. The YAML >- block scalar introduces a trailing newline in the if-true branch output. When the guard fires, start_time is sent as "2026-03-09T10:46:26Z\n", which JumpCloud rejects as invalid. Fix (1) by passing "RFC3339Nano" layout to parseDate so it handles fractional seconds. Fix (2) by adding the -]] trim marker to strip the trailing newline. Exercise the source_lag_time code path in the existing system test.
* Add OTel Assets for MSSQL Server Co-authored-by: mykola-elastic <mykola.kmet@elastic.co> Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
* Add OTel Asset for ZooKeeper Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
…tic#18254) * [Security Rules] Update security rules package to v9.3.8-beta.1 * Add changelog entry for 9.3.8-beta.1
* add auto-expand-replicas setting * update pr link * update format_version * Update manifest.yml * fix validation errors * Update changelog.yml * Update manifest.yml
…tic#18287) * [Security Rules] Update security rules package to v9.3.8-beta.2 * Add changelog entry for 9.3.8-beta.2
* improve Nodes dashboard * fix PR id
* improve Namespaces dashboard * fix PR id
* [airflow_otel] add new content pack * update readme * add CODEOWNERS * upgrade compiler version * add slo note * update dataset name * update screenshots * recompile dashboards
* improve Node Detail dashboard * fix PR id * address reviews
…#18196) The FDR ingest pipeline renamed crowdstrike.event_simpleName into event.action, destroying the source field. For registry, driver, and *Written events, event.action is then overwritten with a generic operation name (per TRaDe requirements), leaving the original CrowdStrike event name inaccessible as a keyword field. Change the rename to a copy so crowdstrike.event_simpleName survives in the indexed document alongside event.action.
…r events (elastic#17980) Copy binding deltas from the protoPayload.serviceData object. This object describes which operations were made on accounts' roles and can be used to detect whether a role has been added to or removed from an account. Description of the binding deltas structure can be found in the GCP IAM documentation[1]. [1] https://docs.cloud.google.com/iam/docs/reference/rpc/google.iam.v1#google.iam.v1.BindingDelta
cloudflare_logpush: add region variable to aws-s3 input Elastic Agent 8.19.12 added validation in the Filebeat aws-s3 input that requires the "region" config field when "non_aws_bucket_name" is set (elastic/beats#48534). The cloudflare_logpush integration only rendered "default_region", which is a different field used for AWS SDK initialization, so configurations using Cloudflare R2 or other S3-compatible storage fail at startup. Add a "region" variable to the aws-s3 policy template and render it in all 21 data stream templates, matching the approach already used by the tanium and netskope integrations. Fixes elastic#17790
* Initial draft of the package * add pr number * add CODEOWNERS entry * README.md: > **Note**: SLO templates require Elastic Stack version 9.4.0 or later. * add screenshots * fix rate panels * fix percentage calculation * add link to traefik doc * add comments about processors: cumulativetodelta, resource/dataset * add categories * change kibana.version to ^9.2.1 * recompile dashboards with kb-dashboard-cli==0.4.1
…#18002) * initial changes * kb-dashboard 0.4.0 changes * update dashboards * update kibana version
…ic#18297) Made with ❤️️ by updatecli Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…iew dashboards (elastic#18063) ti_misp: Add filters for Indicators ingested visualization for Overview dashboards Add filters in Indicators ingested visualization to make sure they only show data relevant to MISP data stream. Add missing screenshots for both overview dashboards.
…ats tag/branch (elastic#18305) - Regenerate schemas and fields for osquery 5.22.1; bump package and Kibana constraint. - Add optional beats.tag and beats.branch in osquery-gen (tag > branch > version).
|
❌ Author of the following commits did not sign a Contributor Agreement: Please, read and sign the above mentioned agreement if you want to contribute to this project |
💔 Build Failed
Failed CI StepsHistory
|
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
Comment on lines
+25
to
+26
| conditions: | ||
| kibana |
There was a problem hiding this comment.
🟠 High extend/agent-version-conditions.md:25
The YAML example at line 26 is missing a colon after kibana, so kibana becomes a key with no value and version: becomes a sibling of kibana instead of a child. Users who copy this example will get a YAML parsing error.
Suggested change
| conditions: | |
| kibana | |
| conditions: | |
| - kibana | |
| + kibana: | |
| version: '^9.4.0' |
🤖 Copy this AI Prompt to have your agent fix this:
In file docs/extend/agent-version-conditions.md around lines 25-26:
The YAML example at line 26 is missing a colon after `kibana`, so `kibana` becomes a key with no value and `version:` becomes a sibling of `kibana` instead of a child. Users who copy this example will get a YAML parsing error.
Contributor
Author
|
Sorry for the noise, raised new PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Screenshot
Implementation Details
Docs Referred
https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/review-logs-using-azure-monitor