Team: Huntress Managed Security Information and Event Management (SIEM)
Product: SIEM, Microsoft Intune
Environment: Windows (Intune / Entra managed)
Summary: This guide explains how to configure Intune Configuration Policies for Windows audit event log collection for Huntress Managed SIEM via JSON or manually in the Microsoft portal.
In this Article
Note: If you have gone through this guide and still are unable to adjust policy, there may be a different system affecting policy. This guide will help you identify the source of configuration change.
JSON Import (Recommend Method)
This code snippet contains all the recommended Huntress Windows Auditing polices as well as optional log size suggestions that can be directly imported as a new Configuration Profile inside Intune.
1. Download an import this file directly into Intune by going to Devices > Windows > Configuration profiles > Create > Import Policy
2. A side window will open up where you can now upload the saved .JSON file
3. Give this a name and optional description and click save.
4. By default imported policies are not assigned to any devices or users, Assign this to all devices (or to an Microsoft Entra Group for more targeted deployment)
5. Monitor the reporting for installation errors and review the policy / machines as required.
Note: If you experience deployment issues, please contact Support.
Manual Configuration Profile
To create this manually
1. Create Profile: In the Microsoft Intune admin center, go to Devices > Windows > Configuration profiles > Create profile.
2. Select Platform/Type: Choose Windows 10 and later as the platform and Settings catalog as the profile type.
3. Give this a name and optional description and click save.
3. Click add settings and then search for the Event Log settings and select the three logs (Security, Setup and System) to add to the policy, ensuring for each that Control Event Log behavior when the log file reaches its maximum size and Specify the maximum log file size (KB) has been selected
4. Edit the log sources to specify the maximum log size and disabling behavior. The end event log settings should look like this:
4. Next, click Add Settings again and Search for "Audit" in the settings picker and review with this table to add the required categories.
5. Set the configuration to Success, Failure, or both based on the values in the table.
6. Once applied and set correctly, assign this to all devices (or to an Microsoft Entra Group for more targeted deployment)
Any issues with the deployment please reach out to Huntress Support.