HUNT - Top Intune audit operators (volume baseline)
Intune Audit Top Operators
Query
let now =
IntuneAuditLogs
| where TimeGenerated > ago(1d)
| summarize Today = count(), OpsToday = make_set(OperationName, 30) by Actor = tostring(Identity);
let baseline =
IntuneAuditLogs
| where TimeGenerated between (ago(8d) .. ago(1d))
| summarize PrevWeek = count() / 7.0 by Actor = tostring(Identity);
now
| join kind=leftouter baseline on Actor
| extend Ratio = iff(PrevWeek == 0, todouble(Today), todouble(Today) / PrevWeek)
| where Today >= 20 and Ratio >= 3
| project Actor, Today, PrevWeekDailyAvg = PrevWeek, Ratio, OpsToday
| order by Ratio descExplanation
This query is designed to monitor and identify unusual activity patterns in Intune audit logs. Here's a simplified breakdown:
-
Purpose: The query establishes a baseline of activity for each user (or "actor") based on their operations in Intune audit logs. It helps detect significant increases in activity, which might indicate potential security issues like mass-policy changes or bulk device actions.
-
Data Source: It uses data from IntuneAuditLogs, accessed via the Azure Monitor connector.
-
Process:
- Current Activity: It calculates the number of operations performed by each user in the last day and lists up to 30 different types of operations they performed.
- Baseline Activity: It calculates the average daily operations for each user over the previous week (excluding the last day).
- Comparison: It compares the current day's activity to the baseline. If a user's operations for the current day are at least 20 and have increased by a factor of 3 or more compared to their daily average from the previous week, they are flagged.
-
Output: The query outputs a list of users with their current day's operation count, previous week's daily average, the ratio of increase, and the types of operations performed today. The results are sorted by the ratio of increase, highlighting the most significant changes.
This query is useful for security teams to quickly identify and investigate potential anomalies in user activity within Intune.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques