HUNT - Stale / dormant devices suddenly active
Dormant Device Reactivation
Query
IntuneDevices
| where TimeGenerated > ago(90d)
| summarize LastSeen = max(TimeGenerated), FirstSeen = min(TimeGenerated),
arg_max(TimeGenerated, DeviceName, UPN, OS, Ownership, CompliantState)
by DeviceId = tostring(DeviceId)
| extend DaysIdleBefore = datetime_diff('day', LastSeen, FirstSeen)
| where LastSeen > ago(7d) and DaysIdleBefore >= 60
| project LastSeen, DeviceId, DeviceName,
UserPrincipalName = tolower(tostring(UPN)),
OperatingSystem = tostring(OS),
OwnerType = tostring(Ownership),
ComplianceState = tostring(CompliantState),
DaysIdleBefore
| order by LastSeen descExplanation
This query is designed to identify devices managed by Intune that were inactive for more than 60 days but have recently become active again. It is useful for detecting potential security threats, as reactivated devices can be a sign of persistence techniques used by attackers.
Here's a simple breakdown of what the query does:
-
Data Source: It uses data from Intune logs, specifically focusing on device activity.
-
Time Frame: The query looks at device activity over the past 90 days.
-
Activity Analysis:
- It calculates the last and first time each device was seen active.
- It determines how many days a device was idle before becoming active again.
-
Filter Criteria:
- It filters for devices that have been active in the last 7 days.
- It ensures these devices were previously inactive for at least 60 days.
-
Output:
- The query outputs details such as the last seen time, device ID, device name, user principal name (converted to lowercase), operating system, ownership type, compliance state, and the number of days the device was idle before reactivation.
-
Sorting: The results are sorted by the most recent activity.
This query helps in identifying potentially suspicious device reactivations, which could indicate unauthorized access or other security issues.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques