HUNT - First-time device enrollment per user
First Time Enrollment By User
Query
IntuneAuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has_any ("enroll","Create Device","register")
| extend Props = parse_json(tostring(Properties))
| extend DeviceName = tostring(Props.TargetObjectName)
| summarize FirstEnroll = min(TimeGenerated), Devices = make_set(DeviceName, 50), Count = count()
by Identity = tostring(Identity)
| where FirstEnroll > ago(7d)
| order by FirstEnroll descExplanation
This query is designed to identify the first time a device is enrolled in Intune for each user over the past 30 days. Here's a simple breakdown:
-
Purpose: The query helps in detecting the first instance of device enrollment for each user within the last 30 days. This can be useful for verifying new devices against HR or joiner lists and identifying any unauthorized or stealth enrollments.
-
Data Source: It uses data from Intune Audit Logs, specifically looking at operations related to device enrollment.
-
Process:
- It filters the logs to include only those generated in the last 30 days.
- It looks for operations that indicate device enrollment, such as "enroll," "Create Device," or "register."
- It extracts and processes relevant information, such as the device name and the time of enrollment.
- It summarizes the data to find the earliest enrollment time for each user and lists up to 50 devices associated with them.
- It further filters the results to show only those enrollments that occurred in the last 7 days.
- Finally, it orders the results by the enrollment date, showing the most recent first.
-
Security Context: This query is associated with the "Persistence" tactic and is relevant to the technique T1098.005, which involves unauthorized account manipulation or creation.
In summary, this query helps security teams monitor and review new device enrollments in Intune to ensure they are legitimate and authorized.
