KQL Search

Query Details

First Time Enrollment By User

Query

id: 7b8c9d10-aaaa-4001-8001-000000000001
name: HUNT - First-time device enrollment per user
description: |
  Surfaces the first Intune device enrollment per user in the last 30 days.
  Useful to review new devices against HR / joiner lists and catch stealth enrollments.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
tactics:
  - Persistence
relevantTechniques:
  - T1098.005
query: |
  IntuneAuditLogs
  | where TimeGenerated > ago(30d)
  | where OperationName has_any ("enroll","Create Device","register")
  | extend Props = parse_json(tostring(Properties))
  | extend DeviceName = tostring(Props.TargetObjectName)
  | summarize FirstEnroll = min(TimeGenerated), Devices = make_set(DeviceName, 50), Count = count()
            by Identity = tostring(Identity)
  | where FirstEnroll > ago(7d)
  | order by FirstEnroll desc
version: 1.0.0

Explanation

This query is designed to identify the first time a device is enrolled in Intune for each user over the past 30 days. Here's a simple breakdown:

  • Purpose: The query helps in detecting the first instance of device enrollment for each user within the last 30 days. This can be useful for verifying new devices against HR or joiner lists and identifying any unauthorized or stealth enrollments.

  • Data Source: It uses data from Intune Audit Logs, specifically looking at operations related to device enrollment.

  • Process:

    1. It filters the logs to include only those generated in the last 30 days.
    2. It looks for operations that indicate device enrollment, such as "enroll," "Create Device," or "register."
    3. It extracts and processes relevant information, such as the device name and the time of enrollment.
    4. It summarizes the data to find the earliest enrollment time for each user and lists up to 50 devices associated with them.
    5. It further filters the results to show only those enrollments that occurred in the last 7 days.
    6. Finally, it orders the results by the enrollment date, showing the most recent first.

  • Security Context: This query is associated with the "Persistence" tactic and is relevant to the technique T1098.005, which involves unauthorized account manipulation or creation.

In summary, this query helps security teams monitor and review new device enrollments in Intune to ensure they are legitimate and authorized.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneDeviceUserIdentityPropertiesOperationNameTimeGenerated

Operators

agohas_anyextendparse_jsontostringsummarizeminmake_setcountbywhereorder bydesc

Actions