KQL Search

Query Details

Dormant Device Reactivation

Query

id: 7b8c9d10-aaaa-4001-8001-000000000007
name: HUNT - Stale / dormant devices suddenly active
description: |
  Identifies Intune-managed devices that were dormant >60 days and recently checked in.
  Reactivated accounts / devices are a known persistence technique.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneDevices
tactics:
  - Persistence
relevantTechniques:
  - T1098.005
query: |
  IntuneDevices
  | where TimeGenerated > ago(90d)
  | summarize LastSeen = max(TimeGenerated), FirstSeen = min(TimeGenerated),
              arg_max(TimeGenerated, DeviceName, UPN, OS, Ownership, CompliantState)
            by DeviceId = tostring(DeviceId)
  | extend DaysIdleBefore = datetime_diff('day', LastSeen, FirstSeen)
  | where LastSeen > ago(7d) and DaysIdleBefore >= 60
  | project LastSeen, DeviceId, DeviceName,
            UserPrincipalName = tolower(tostring(UPN)),
            OperatingSystem   = tostring(OS),
            OwnerType         = tostring(Ownership),
            ComplianceState   = tostring(CompliantState),
            DaysIdleBefore
  | order by LastSeen desc
version: 1.0.0

Explanation

This query is designed to identify devices managed by Intune that were inactive for more than 60 days but have recently become active again. It is useful for detecting potential security threats, as reactivated devices can be a sign of persistence techniques used by attackers.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from Intune logs, specifically focusing on device activity.

  2. Time Frame: The query looks at device activity over the past 90 days.

  3. Activity Analysis:

    • It calculates the last and first time each device was seen active.
    • It determines how many days a device was idle before becoming active again.

  4. Filter Criteria:

    • It filters for devices that have been active in the last 7 days.
    • It ensures these devices were previously inactive for at least 60 days.

  5. Output:

    • The query outputs details such as the last seen time, device ID, device name, user principal name (converted to lowercase), operating system, ownership type, compliance state, and the number of days the device was idle before reactivation.

  6. Sorting: The results are sorted by the most recent activity.

This query helps in identifying potentially suspicious device reactivations, which could indicate unauthorized access or other security issues.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDevices

Keywords

IntuneDevicesDeviceNameUPNOSOwnershipCompliantStateDeviceIdUserPrincipalNameOperatingSystemOwnerTypeComplianceStateDaysIdleBefore

Operators

IntuneDeviceswhereagosummarizemaxminarg_maxbytostringextenddatetime_diffprojecttolowerorder bydesc

Actions