KQL Search

Query Details

Enroll Then Privileged Action

Query

id: 7b8c9d10-aaaa-4001-8001-000000000006
name: HUNT - Device enrolled and privileged action within 24h
description: |
  Finds identities that registered a new device and, within 24 hours, performed
  privileged actions (role assignment, policy modification, admin-portal access).
  Classic device-trust → privilege-escalation chain.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
tactics:
  - PrivilegeEscalation
  - Persistence
relevantTechniques:
  - T1098
  - T1098.005
query: |
  let enrollments =
      IntuneAuditLogs
      | where TimeGenerated > ago(7d)
      | where OperationName has_any ("enroll","Create Device","register")
      | project EnrollTime = TimeGenerated, UPN = tolower(tostring(Identity)),
                Device = tostring(parse_json(tostring(Properties)).TargetObjectName);
  let priv =
      AuditLogs
      | where TimeGenerated > ago(7d)
      | where OperationName has_any ("Add member to role","Update policy","Update conditional access policy",
                                    "Delete policy","Consent to application")
      | project PrivTime = TimeGenerated, UPN = tolower(tostring(InitiatedBy.user.userPrincipalName)),
                PrivOp = OperationName;
  enrollments
  | join kind=inner priv on UPN
  | where PrivTime between (EnrollTime .. EnrollTime + 24h)
  | project UPN, Device, EnrollTime, PrivTime, PrivOp
  | order by PrivTime desc
version: 1.0.0

Explanation

This query is designed to identify potential security risks by detecting users who have registered a new device and then performed privileged actions within 24 hours. Here's a simple breakdown of what the query does:

  1. Data Sources: It uses data from two sources:

    • IntuneAuditLogs: To track device enrollments.
    • AuditLogs: To track privileged actions.

  2. Device Enrollment Tracking: It looks at the last 7 days of logs to find instances where a new device was enrolled or registered.

  3. Privileged Actions Tracking: It also examines the last 7 days of logs to find privileged actions such as role assignments, policy updates, or application consents.

  4. Matching and Filtering: The query matches users who enrolled a device with those who performed privileged actions. It specifically looks for cases where the privileged actions occurred within 24 hours of the device enrollment.

  5. Output: The result is a list of users, along with the device they enrolled, the time of enrollment, the time of the privileged action, and the type of privileged action performed. The results are sorted by the time of the privileged action in descending order.

This query helps in identifying potential security threats by highlighting a classic device-trust to privilege-escalation scenario.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogsAuditLogs

Keywords

DevicesIntuneUserAzureMonitorAuditLogsIdentity

Operators

let|wherehas_anyprojecttolowertostringparse_jsonjoinkind=innerbetween..order bydescago

Actions