KQL Search

Query Details

Bulk Destructive MDM Actions

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d509
name: Intune - Bulk device wipe, retire, or delete operations
description: |
  Detects bulk destructive MDM actions (Wipe, Retire, Delete, FreshStart, AutopilotReset)
  issued by a single actor in a short window. Used by ransomware/extortion actors with
  Intune admin rights to cause impact, or during account takeover of privileged identities.
severity: High
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 4
status: Available
tactics:
  - Impact
relevantTechniques:
  - T1485
  - T1531
query: |
  let destructiveOps = dynamic([
      "wipeManagedDevice","retireManagedDevice","deleteManagedDevice",
      "cleanWindowsDevice","autopilotReset","freshStart","wipe","retire","delete"
  ]);
  IntuneAuditLogs
  | where TimeGenerated > ago(30m)
  | where OperationName has_any (destructiveOps)
  | extend Props = parse_json(tostring(Properties))
  | extend Target = tostring(Props.TargetObjectName)
  | summarize Count = count(), Targets = make_set(Target, 100),
              Ops = make_set(OperationName, 20),
              FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
            by Identity=tostring(Identity)
  | where Count >= 5
  | extend AccountCustomEntity = Identity
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious bulk actions performed on devices managed through Microsoft Intune. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to identify potentially harmful actions like wiping, retiring, or deleting multiple devices in a short period. Such actions could indicate malicious activity, such as ransomware attacks or unauthorized access by someone with administrative rights.

  2. Data Source: It uses data from Intune Audit Logs, specifically focusing on operations that affect device management.

  3. Time Frame: The query looks at logs from the past 30 minutes and runs every 30 minutes.

  4. Operations Monitored: It checks for specific destructive operations, including wiping, retiring, deleting devices, and other similar actions.

  5. Detection Criteria:

    • It identifies actions performed by a single user (or "actor").
    • It flags cases where five or more such operations are performed by the same user within the 30-minute window.

  6. Output:

    • It summarizes the number of operations, the devices affected, and the types of operations performed.
    • It records the first and last time these operations were seen within the period.
    • It maps the identity of the user performing these actions to an account entity for further investigation.

  7. Severity and Tactics: The query is marked with high severity and relates to tactics that cause impact, aligning with specific techniques (T1485 and T1531) in cybersecurity frameworks.

Overall, this query helps security teams quickly identify and respond to potentially malicious activities involving bulk device management operations in Intune.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneDevicesMDMRansomwareExtortionAdminRightsAccountPrivilegedIdentitiesAzureMonitorLogsAuditLogsOperationsPropertiesTargetObjectNameIdentityAccountCustomEntityAccountFullNameVersionScheduled

Operators

letdynamicwherehas_anyextendparse_jsontostringsummarizecountmake_setminmaxby

Actions