Query Details
Enrollment Spikes
Query
id: 7b8c9d10-aaaa-4001-8001-000000000002
name: HUNT - Enrollment spikes by hour
description: Hourly baseline of enrollments vs current, to visualize anomalous enrollment bursts.
requiredDataConnectors:
- connectorId: AzureMonitor(IntuneLogs)
dataTypes:
- IntuneAuditLogs
tactics:
- Persistence
relevantTechniques:
- T1098.005
query: |
IntuneAuditLogs
| where TimeGenerated > ago(14d)
| where OperationName has "enroll"
| summarize Enrollments = count() by bin(TimeGenerated, 1h)
| extend Mean = toreal(series_stats_dynamic(todynamic(Enrollments)).avg)
| order by TimeGenerated desc
version: 1.0.0
Explanation
This query is designed to monitor and visualize unusual spikes in device enrollments over time using data from Intune audit logs. Here's a simple breakdown:
- Data Source: It uses Intune audit logs from Azure Monitor.
- Time Frame: The query looks at data from the past 14 days.
- Operation Filter: It specifically filters for operations related to "enrollments."
- Aggregation: It counts the number of enrollments per hour.
- Baseline Calculation: It calculates the average number of enrollments to establish a baseline.
- Sorting: The results are sorted by the time they were generated, in descending order.
The purpose of this query is to help identify any unusual bursts in enrollment activity, which could indicate potential security issues or operational anomalies.
Details
David Alonso
Released: April 22, 2026
Tables
IntuneAuditLogs
Keywords
EnrollmentIntuneAuditLogsTimeGeneratedOperationNameEnrollmentsMeanTime
Operators
IntuneAuditLogswhereagohassummarizecountbinextendtorealseries_stats_dynamictodynamicavgorder bydesc