Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-267334	SRG-APP-000125-UEM-000074	MSIN-24-000370	SV-267334r1025801_rule	2024-10-04	1

Description
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b, FMT_SMF.1.1(2) c.8 Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228

Description

Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b, FMT_SMF.1.1(2) c.8 Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228

ℹ️ Check
Verify the site is scheduling audit log backups at least every seven days. Since, at this time, offloading Intune audit logs is a manual process, verify the site is periodically (at least every seven days) offloading Intune logs. If Microsoft Intune is not set to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days, this is a finding.

ℹ️ Check

Verify the site is scheduling audit log backups at least every seven days. Since, at this time, offloading Intune audit logs is a manual process, verify the site is periodically (at least every seven days) offloading Intune logs. If Microsoft Intune is not set to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days, this is a finding.

✔️ Fix
Configure the Microsoft Intune server to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days. Intune audit logs can be sent to many locations, including Azure Monitor services or a third-party audit management server. If sending Intune audit logs to the Azure monitor, follow the setup instructions listed here: https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor. To manually offload audit logs to an audit log management server, follow these instructions: 1. Log in to the console. 2. Select "Tenant Administration". 3. Select "Audit Logs". 4. Select "Export". This exports a .csv file with audit data. Other methods can be used to archive the .csv files.

✔️ Fix

Configure the Microsoft Intune server to transfer Microsoft Intune server logs to another server for storage, analysis, and reporting at least every seven days. Intune audit logs can be sent to many locations, including Azure Monitor services or a third-party audit management server. If sending Intune audit logs to the Azure monitor, follow the setup instructions listed here: https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor. To manually offload audit logs to an audit log management server, follow these instructions: 1. Log in to the console. 2. Select "Tenant Administration". 3. Select "Audit Logs". 4. Select "Export". This exports a .csv file with audit data. Other methods can be used to archive the .csv files.