MS Intune Update (demisto#36628)

* Changed dataset name to msft_intune_raw

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated README

* Updated ReleaseNotes

* Update Packs/MicrosoftIntune/ReleaseNotes/1_0_2.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Updated README

* Update 1_0_2.json

---------

Co-authored-by: ShirleyDenkberg <[email protected]>

Packs/MicrosoftIntune/ModelingRules/MicrosoftIntune_1_3/MicrosoftIntune_1_3.xif

@@ -1,4 +1,4 @@
-[MODEL: dataset="msft_azure_raw"]
+[MODEL: dataset="msft_intune_raw"]
 filter category contains "DeviceComplianceOrg"
 |alter xdm.event.type=category,
 xdm.observer.unique_identifier=tenantId,

Packs/MicrosoftIntune/ModelingRules/MicrosoftIntune_1_3/MicrosoftIntune_1_3_schema.json

@@ -1,5 +1,5 @@
 {
-    "msft_azure_raw": {
+    "msft_intune_raw": {
       "properties": {
           "type": "string",
           "is_array": false

Packs/MicrosoftIntune/ParsingRules/MicrosoftIntuneParsingRules/MicrosoftIntuneParsingRules.xif

@@ -1,4 +1,4 @@
-[INGEST:vendor="MSFT", product="Azure", target_dataset="msft_azure_raw", no_hit=keep]
+[INGEST:vendor="MSFT", product="Intune", target_dataset="msft_intune_raw", no_hit=keep]
 filter to_string(time) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}[\.\dZ]+"
 | alter 
     timestampModify = time

Packs/MicrosoftIntune/README.md

@@ -2,7 +2,7 @@
 
 This pack includes Cortex XSIAM content.
 
-Note: The logs will be stored in the dataset named *msft_azure_raw*. 
+Note: The logs will be stored in the dataset named *msft_intune_raw*. 
 To filter a query to focus only on Microsoft Intune logs, use the following filters:
 - In XQL queries, use: *|filter _collector_name=<Name_of_Intune_Instance_from_Azure_Event_Hub_Configuration>*
 - In Datamodel queries, use: *|xdm.observer.name=<Name_of_Intune_Instance_from_Azure_Event_Hub_Configuration>*
@@ -14,6 +14,8 @@ In order to use the collector, you need to use the following option:
   - [Collect Events from Vendor](#collect-events-from-vendor)
     - [Azure Event Hub Integration](#azure-event-hub-integration)
 
+![MSFT_Intune_Collector_Settings](https://raw.githubusercontent.com/demisto/content/cbecb05aa723b2beba6081e91f445a870997c82d/Packs/MicrosoftIntune/doc_files/MSFT_Intune_Collector_Settings.png)
+
 To collect logs from Microsoft Intune, use the information described [here](https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor) to configure log streaming from Microsoft Intune to Azure Event Hub.
 
 * Pay attention: Timestamp parsing is available for the default UTC (+0000) format for Microsoft Intune.

Packs/MicrosoftIntune/ReleaseNotes/1_0_2.json

@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "The Dataset name used for this pack has been changed from *msft_azure_raw* to *msft_intune_raw*.\nPlease update your existing integration to refer to the new dataset name in order to ensure this content pack's functionality."
+}

Packs/MicrosoftIntune/ReleaseNotes/1_0_2.md

@@ -0,0 +1,14 @@
+
+#### Modeling Rules
+
+##### Microsoft Intune
+
+Updated the Dataset name used in the Modeling Rule header to **msft_intune_raw**.
+
+#### Parsing Rules
+
+##### MicrosoftIntune Parsing Rule
+
+- Updated the Vendor name used in the Parsing Rule header to **MSFT**.
+- Updated the Product name used in the Parsing Rule header to **Intune**.
+- Updated the Dataset name used in the Parsing Rule header to **msft_intune_raw**.

Packs/MicrosoftIntune/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Intune",
     "description": "Microsoft Intune is a family of endpoint management solutions that enable you to protect and administer all your endpoints from a single place.",
     "support": "xsoar",
-    "currentVersion": "1.0.1",
+    "currentVersion": "1.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",