Query Details

HUNT - Stale / dormant devices suddenly active

Dormant Device Reactivation

Query

IntuneDevices
| where TimeGenerated > ago(90d)
| summarize LastSeen = max(TimeGenerated), FirstSeen = min(TimeGenerated),
            arg_max(TimeGenerated, DeviceName, UPN, OS, Ownership, CompliantState)
          by DeviceId = tostring(DeviceId)
| extend DaysIdleBefore = datetime_diff('day', LastSeen, FirstSeen)
| where LastSeen > ago(7d) and DaysIdleBefore >= 60
| project LastSeen, DeviceId, DeviceName,
          UserPrincipalName = tolower(tostring(UPN)),
          OperatingSystem   = tostring(OS),
          OwnerType         = tostring(Ownership),
          ComplianceState   = tostring(CompliantState),
          DaysIdleBefore
| order by LastSeen desc

Explanation

This query is designed to identify devices managed by Intune that were inactive for more than 60 days but have recently become active again. It is useful for detecting potential security threats, as reactivated devices can be a sign of persistence techniques used by attackers.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from Intune logs, specifically focusing on device activity.

  2. Time Frame: The query looks at device activity over the past 90 days.

  3. Activity Analysis:

    • It calculates the last and first time each device was seen active.
    • It determines how many days a device was idle before becoming active again.
  4. Filter Criteria:

    • It filters for devices that have been active in the last 7 days.
    • It ensures these devices were previously inactive for at least 60 days.
  5. Output:

    • The query outputs details such as the last seen time, device ID, device name, user principal name (converted to lowercase), operating system, ownership type, compliance state, and the number of days the device was idle before reactivation.
  6. Sorting: The results are sorted by the most recent activity.

This query helps in identifying potentially suspicious device reactivations, which could indicate unauthorized access or other security issues.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDevices

Keywords

IntuneDevicesDeviceNameUPNOSOwnershipCompliantStateDeviceIdUserPrincipalNameOperatingSystemOwnerTypeComplianceStateDaysIdleBefore

Operators

IntuneDeviceswhereagosummarizemaxminarg_maxbytostringextenddatetime_diffprojecttolowerorder bydesc

Tactics

Persistence

MITRE Techniques

Actions

GitHub