KQL Search

Query Details

Intune Jailbroken Rooted Device

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d513
name: Intune - Jailbroken or rooted device accessing corporate resources
description: |
  Identifies devices reported by Intune as jailbroken (iOS) or rooted (Android) — either directly
  via the JailBroken field or via compliance states indicating such. These devices have had their
  security model broken and should not be allowed to hold corporate tokens.
severity: High
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneDevices
      - IntuneDeviceComplianceOrg
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - InitialAccess
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1562
query: |
  // Mobile-only: jailbreak/root signals are meaningful only on iOS/iPadOS/Android.
  // Windows/macOS/Linux endpoints can report Jail="Unknown" and would otherwise
  // generate false positives, so they are filtered out in both branches with an
  // explicit allow-list AND an explicit deny-list (belt-and-suspenders).
  let MobileOS = dynamic(["iOS","iPadOS","Android"]);
  let DesktopOS = dynamic(["Windows","macOS","Mac OS","Linux"]);
  let risky =
      IntuneDevices
      | where TimeGenerated > ago(1d)
      | extend Jail = tostring(column_ifexists("JailBroken", ""))
      | where Jail =~ "True" or Jail =~ "Yes" or Jail =~ "Unknown"
      | extend OS = tostring(OS)
      | where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
      // Drop the noisy "Unknown" status unless we have a confirmed mobile OS string
      | where Jail !~ "Unknown" or OS in~ ("iOS","iPadOS","Android")
      | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
      | project DeviceId, DeviceName = tostring(DeviceName),
                UPN = tolower(tostring(UPN)), OS,
                OSVersion = tostring(OSVersion), Jail;
  let compRisky =
      IntuneDeviceComplianceOrg
      | where TimeGenerated > ago(1d)
      | where ComplianceState in~ ("Jailbroken","Rooted")
      | extend OS = tostring(OSDescription)
      | where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
      | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
      | project DeviceId, DeviceName = tostring(DeviceName),
                UPN = tolower(tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", "")))),
                OS, OSVersion = "",
                Jail = ComplianceState;
  union isfuzzy=true risky, compRisky
  | where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
  | summarize arg_max(DeviceName, *) by DeviceId
  | extend AccountCustomEntity = UPN, HostCustomEntity = DeviceName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: HostCustomEntity
version: 1.0.2
kind: Scheduled

Explanation

This query is designed to identify mobile devices that are jailbroken (iOS) or rooted (Android) and are accessing corporate resources. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to detect devices that have compromised security models (jailbroken or rooted) and should not be allowed to access corporate tokens.

  2. Severity: The issue is considered high severity, indicating a significant security risk.

  3. Data Sources: It uses data from Intune logs, specifically focusing on device information and compliance status.

  4. Frequency and Duration: The query runs every hour and looks at data from the past day.

  5. Logic:

    • It first defines which operating systems are considered mobile (iOS, iPadOS, Android) and which are desktop (Windows, macOS, Linux).
    • It checks two data sets:
      • IntuneDevices: Looks for devices marked as jailbroken or rooted.
      • IntuneDeviceComplianceOrg: Looks for devices with compliance states indicating they are jailbroken or rooted.
    • It filters out non-mobile devices to avoid false positives.
    • It combines results from both data sets to identify risky devices.
    • It ensures that only confirmed mobile devices with a jailbroken or rooted status are flagged.

  6. Output: The query outputs a list of devices with details like device ID, name, user principal name (UPN), operating system, and jailbroken/rooted status.

  7. Entity Mappings: It maps the results to account and host entities for further analysis.

  8. Version and Status: The query is version 1.0.2 and is currently available as a scheduled task.

Overall, this query helps organizations monitor and manage security risks associated with compromised mobile devices accessing corporate resources.

Details

David Alonso profile picture

David Alonso

Released: April 28, 2026

Tables

IntuneDevicesIntuneDeviceComplianceOrg

Keywords

DevicesIntuneUserComplianceJailbrokenRootedAndroidiOSiPadOSWindowsmacOSLinux

Operators

letdynamicagotostringcolumn_ifexists=~has_anynotin~summarizearg_maxprojecttolowerunionisfuzzyextendwhere

Actions