Query Details

Intune - Device marked compliant shortly after non-compliant state

Intune Compliance Bypass

Query

let lookback = 6h;
let flips =
    IntuneDeviceComplianceOrg
    | where TimeGenerated > ago(lookback)
    | where isnotempty(ComplianceState)
    | project TimeGenerated, DeviceId=tostring(DeviceId), DeviceName=tostring(DeviceName),
              UserPrincipalName=tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))),
              OSDescription=tostring(OSDescription),
              ComplianceState=tostring(ComplianceState)
    | order by DeviceId, TimeGenerated asc
    | extend prevState = prev(ComplianceState), prevTime = prev(TimeGenerated), prevDevice = prev(DeviceId)
    | where DeviceId == prevDevice
    | where prevState in ("NonCompliant","Error","Unknown","InGracePeriod","ConfigManager")
    | where ComplianceState == "Compliant"
    | where datetime_diff('minute', TimeGenerated, prevTime) between (0 .. 30)
    | project TimeGenerated, DeviceId, DeviceName, UserPrincipalName, OSDescription, prevState, ComplianceState;
let remediations =
    IntuneAuditLogs
    | where TimeGenerated > ago(lookback)
    | where OperationName has_any ("remediate","Sync","wipe","retire")
    | project RemTime=TimeGenerated, DeviceId=tostring(parse_json(tostring(Properties)).TargetObjectId);
flips
| join kind=leftanti remediations on DeviceId
| extend AccountCustomEntity = UserPrincipalName, HostCustomEntity = DeviceName

Explanation

This query is designed to detect suspicious behavior in devices managed by Microsoft Intune. It specifically looks for devices that quickly change from a non-compliant state to a compliant state without any recorded remediation actions, which might indicate attempts to bypass compliance checks. Here's a simplified breakdown:

  1. Purpose: The query identifies devices that transition from a non-compliant state (or error/unknown) to a compliant state within 30 minutes, without any corresponding remediation actions like syncing or wiping.

  2. Data Sources: It uses data from Intune logs, specifically IntuneDeviceComplianceOrg for compliance states and IntuneAuditLogs for remediation actions.

  3. Time Frame: The query checks for these transitions within the last 6 hours and runs every hour.

  4. Detection Logic:

    • It first identifies devices that changed from non-compliant to compliant within 30 minutes.
    • It then checks if there are any remediation actions recorded for these devices.
    • If no remediation actions are found, it flags these devices as potentially suspicious.
  5. Severity and Tactics: The severity of this detection is marked as high, and it relates to tactics like Defense Evasion and Persistence, which are techniques used to avoid detection and maintain access.

  6. Output: The query outputs details about the device and user, which can be used for further investigation.

This query helps in identifying potential compliance-bypass techniques, which could be a security risk if left unchecked.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDeviceComplianceOrgIntuneAuditLogs

Keywords

IntuneDeviceComplianceStateUserPrincipalNameOSDescriptionTimeGeneratedOperationPropertiesAccountHost

Operators

letagoisnotemptyprojecttostringcolumn_ifexistsorder byextendprevwhereindatetime_diffbetweenjoin kind=leftantionhas_anyparse_json

Severity

High

Tactics

DefenseEvasionPersistence

MITRE Techniques

Frequency: 1h

Period: 6h

Actions

GitHub