Intune - Bulk device wipe, retire, or delete operations
Bulk Destructive MDM Actions
Query
let destructiveOps = dynamic([
"wipeManagedDevice","retireManagedDevice","deleteManagedDevice",
"cleanWindowsDevice","autopilotReset","freshStart","wipe","retire","delete"
]);
IntuneAuditLogs
| where TimeGenerated > ago(30m)
| where OperationName has_any (destructiveOps)
| extend Props = parse_json(tostring(Properties))
| extend Target = tostring(Props.TargetObjectName)
| summarize Count = count(), Targets = make_set(Target, 100),
Ops = make_set(OperationName, 20),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by Identity=tostring(Identity)
| where Count >= 5
| extend AccountCustomEntity = IdentityExplanation
This query is designed to detect suspicious bulk actions performed on devices managed through Microsoft Intune. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify potentially harmful actions like wiping, retiring, or deleting multiple devices in a short period. Such actions could indicate malicious activity, such as ransomware attacks or unauthorized access by someone with administrative rights.
-
Data Source: It uses data from Intune Audit Logs, specifically focusing on operations that affect device management.
-
Time Frame: The query looks at logs from the past 30 minutes and runs every 30 minutes.
-
Operations Monitored: It checks for specific destructive operations, including wiping, retiring, deleting devices, and other similar actions.
-
Detection Criteria:
- It identifies actions performed by a single user (or "actor").
- It flags cases where five or more such operations are performed by the same user within the 30-minute window.
-
Output:
- It summarizes the number of operations, the devices affected, and the types of operations performed.
- It records the first and last time these operations were seen within the period.
- It maps the identity of the user performing these actions to an account entity for further investigation.
-
Severity and Tactics: The query is marked with high severity and relates to tactics that cause impact, aligning with specific techniques (T1485 and T1531) in cybersecurity frameworks.
Overall, this query helps security teams quickly identify and respond to potentially malicious activities involving bulk device management operations in Intune.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 30m
Period: 30m