Query Details
Intune Compliance Bypass
Query
id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d501
name: Intune - Device marked compliant shortly after non-compliant state
description: |
Detects a device that transitioned from non-compliant (or error/unknown) to compliant within a short
window without a corresponding remediation event. This can indicate compliance-bypass techniques
(AADInternals `Set-AADIntDeviceCompliant`, manual policy exclusion, or tampering with the Intune
management extension) used to satisfy Conditional Access device-compliance requirements.
severity: High
requiredDataConnectors:
- connectorId: AzureMonitor(IntuneLogs)
dataTypes:
- IntuneDeviceComplianceOrg
- IntuneAuditLogs
queryFrequency: 1h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- DefenseEvasion
- Persistence
relevantTechniques:
- T1562
- T1556
query: |
let lookback = 6h;
let flips =
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(lookback)
| where isnotempty(ComplianceState)
| project TimeGenerated, DeviceId=tostring(DeviceId), DeviceName=tostring(DeviceName),
UserPrincipalName=tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))),
OSDescription=tostring(OSDescription),
ComplianceState=tostring(ComplianceState)
| order by DeviceId, TimeGenerated asc
| extend prevState = prev(ComplianceState), prevTime = prev(TimeGenerated), prevDevice = prev(DeviceId)
| where DeviceId == prevDevice
| where prevState in ("NonCompliant","Error","Unknown","InGracePeriod","ConfigManager")
| where ComplianceState == "Compliant"
| where datetime_diff('minute', TimeGenerated, prevTime) between (0 .. 30)
| project TimeGenerated, DeviceId, DeviceName, UserPrincipalName, OSDescription, prevState, ComplianceState;
let remediations =
IntuneAuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName has_any ("remediate","Sync","wipe","retire")
| project RemTime=TimeGenerated, DeviceId=tostring(parse_json(tostring(Properties)).TargetObjectId);
flips
| join kind=leftanti remediations on DeviceId
| extend AccountCustomEntity = UserPrincipalName, HostCustomEntity = DeviceName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled
Explanation
This query is designed to detect suspicious behavior in devices managed by Microsoft Intune. It specifically looks for devices that quickly change from a non-compliant state to a compliant state without any recorded remediation actions, which might indicate attempts to bypass compliance checks. Here's a simplified breakdown:
-
Purpose: The query identifies devices that transition from a non-compliant state (or error/unknown) to a compliant state within 30 minutes, without any corresponding remediation actions like syncing or wiping.
-
Data Sources: It uses data from Intune logs, specifically
IntuneDeviceComplianceOrgfor compliance states andIntuneAuditLogsfor remediation actions. -
Time Frame: The query checks for these transitions within the last 6 hours and runs every hour.
-
Detection Logic:
- It first identifies devices that changed from non-compliant to compliant within 30 minutes.
- It then checks if there are any remediation actions recorded for these devices.
- If no remediation actions are found, it flags these devices as potentially suspicious.
-
Severity and Tactics: The severity of this detection is marked as high, and it relates to tactics like Defense Evasion and Persistence, which are techniques used to avoid detection and maintain access.
-
Output: The query outputs details about the device and user, which can be used for further investigation.
This query helps in identifying potential compliance-bypass techniques, which could be a security risk if left unchecked.
Details
David Alonso
Released: April 22, 2026
Tables
Keywords
Operators