Deploy Perch Workstation Audit settings and Log Shipper Agent with Intune

If you or your customers use Perch SIEM, you probably have (or started with) Hybrid or AD joined devices with a GPO configured to configure the Audit logging on the endpoints and deploy the log shipper with Intune. As you transition the endpoints to Entra Join, you’ll need to deploy the audit settings and app with Intune. This blog walks through how to do this with Intune and has a JSON of the configuration profile preconfigured with the correct audit settings.

The below links contain supporting documentation and were used as a reference when writing this blog:

Deploy the Audit logging settings

First, we need to deploy the audit configuration settings. The recommended audit logging settings for workstations are:

These are configured as a JSON you can download and import as an Intune configuration profile here – MS-Cloud-Scripts/intune/Perch Log Shipper/Config Profile – Perch Audit Logging.json at main · gnon17/MS-Cloud-Scripts (github.com) 

After downloading the JSON, sign into https://intune.microsoft.com and select Devices > Windows > Configuration Profiles. Click Create and then Import Policy.

Browse to the JSON file we previously downloaded and click save to add the profile. After the profile has been added, assign it to your target groups.

  Creating and Deploying the Log Shipper Agent: 

Download the perch log shipper EXE. Download the Win32 content prep tool from this link – GitHub – microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune. Place the log shipper EXE file in a folder with no other files. Launch the Win32 content prep tool and specify the source path, installer name, and destination path for the packaged app. Specify N when asked about a catalog folder. Press enter to generate the .intunewin file.

Back in https://intune.microsoft.com, create a new Win32 App. When asked to specify the .intunewin file, choose the file we generated in the previous step. Provide a name and description and click next when finished:

    For the install and uninstall commands, use these templates and replace the VALUE with the client token. Make sure the install behavior is set to system. 

    • Install: 
      • perch-log-shipper-latest.exe /qn OUTPUT=”TOKEN” VALUE=”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” 
    • Uninstall: 
      • wmic product where name=”Perch Log Shipper” call uninstall exit” 

      Add the desired requirements and continue. For the detection rule. Use this script as the custom detection script – MS-Cloud-Scripts/intune/Perch Log Shipper/Detection.ps1 at main · gnon17/MS-Cloud-Scripts (github.com).  

        Continue through the rest of the app creation and assign to your desired device groups.  

          This completes the setup. Once the settings and log shipper application have been deployed, you or your security team should start seeing logs in the SIEM console.