KQL Search

Query Details

Intune Audit Top Operators

Query

id: 7b8c9d10-aaaa-4001-8001-00000000000B
name: HUNT - Top Intune audit operators (volume baseline)
description: |
  Establishes a per-actor volume baseline across IntuneAuditLogs. Useful to spot service accounts
  or admins whose operation volume has materially increased versus the previous week — a common
  precursor to mass-policy changes or bulk device actions.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
tactics:
  - Discovery
relevantTechniques:
  - T1087
query: |
  let now =
      IntuneAuditLogs
      | where TimeGenerated > ago(1d)
      | summarize Today = count(), OpsToday = make_set(OperationName, 30) by Actor = tostring(Identity);
  let baseline =
      IntuneAuditLogs
      | where TimeGenerated between (ago(8d) .. ago(1d))
      | summarize PrevWeek = count() / 7.0 by Actor = tostring(Identity);
  now
  | join kind=leftouter baseline on Actor
  | extend Ratio = iff(PrevWeek == 0, todouble(Today), todouble(Today) / PrevWeek)
  | where Today >= 20 and Ratio >= 3
  | project Actor, Today, PrevWeekDailyAvg = PrevWeek, Ratio, OpsToday
  | order by Ratio desc
version: 1.0.0

Explanation

This query is designed to monitor and identify unusual activity patterns in Intune audit logs. Here's a simplified breakdown:

  1. Purpose: The query establishes a baseline of activity for each user (or "actor") based on their operations in Intune audit logs. It helps detect significant increases in activity, which might indicate potential security issues like mass-policy changes or bulk device actions.

  2. Data Source: It uses data from IntuneAuditLogs, accessed via the Azure Monitor connector.

  3. Process:

    • Current Activity: It calculates the number of operations performed by each user in the last day and lists up to 30 different types of operations they performed.
    • Baseline Activity: It calculates the average daily operations for each user over the previous week (excluding the last day).
    • Comparison: It compares the current day's activity to the baseline. If a user's operations for the current day are at least 20 and have increased by a factor of 3 or more compared to their daily average from the previous week, they are flagged.

  4. Output: The query outputs a list of users with their current day's operation count, previous week's daily average, the ratio of increase, and the types of operations performed today. The results are sorted by the ratio of increase, highlighting the most significant changes.

This query is useful for security teams to quickly identify and investigate potential anomalies in user activity within Intune.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneAuditLogsDevicesAdminsServiceAccountsOperationsActorIdentity

Operators

let|where>agosummarize=count()make_setbybetween..joinkind=leftouteronextendiff==todouble/andprojectorder bydesc

Actions