KQL Search

Query Details

Intune Operational Failure Spike

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d514
name: Intune - MDM enrollment or check-in failure spike per user
description: |
  Detects a statistically abnormal spike in Intune enrollment / check-in failures for a single
  user principal in IntuneOperationalLogs. Can indicate enrollment-spray attacks, scripted
  registration (ROADtools / AADInternals `Join-AADIntDeviceToAzureAD`), or MDM policy fuzzing
  to discover weak configurations.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneOperationalLogs
queryFrequency: 30m
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - InitialAccess
  - Reconnaissance
relevantTechniques:
  - T1078
  - T1595
query: |
  let threshold = 15;
  IntuneOperationalLogs
  | where TimeGenerated > ago(30m)
  | where Result =~ "Failure" or tostring(OperationName) has_any ("Enrollment","CheckIn","Sync")
  | extend Props = parse_json(tostring(Properties))
  | extend UPN = tolower(coalesce(tostring(Props.Upn), tostring(Props.UserPrincipalName), tostring(column_ifexists("Identity", ""))))
  | extend Reason = tostring(coalesce(tostring(column_ifexists("ResultReason", "")), tostring(Props.ResultReason)))
  | where isnotempty(UPN)
  | summarize Failures = count(),
              Operations = make_set(OperationName, 20),
              Reasons    = make_set(Reason, 20),
              FirstSeen  = min(TimeGenerated),
              LastSeen   = max(TimeGenerated)
            by UPN
  | where Failures >= threshold
  | extend AccountCustomEntity = UPN
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect unusual spikes in failures related to Intune enrollment or check-in for individual users. Here's a simplified breakdown:

  • Purpose: It identifies when a single user experiences an abnormal increase in failures during Intune enrollment or check-in processes. This could suggest potential security issues like unauthorized enrollment attempts or testing for weak configurations.

  • Severity: The alert is considered medium severity.

  • Data Source: It uses data from IntuneOperationalLogs, which are part of Azure Monitor's Intune logs.

  • Frequency and Duration: The query runs every 30 minutes and looks at data from the past 6 hours.

  • Trigger Condition: The alert triggers if there are more than 15 failures for a user within the specified time frame.

  • Analysis: The query checks for failure results in operations related to "Enrollment," "CheckIn," or "Sync." It collects details like the number of failures, types of operations, reasons for failures, and the time range of these events.

  • Output: If the number of failures exceeds the threshold, it flags the user (identified by their User Principal Name) as a potential issue.

  • Security Context: The query is associated with tactics like Initial Access and Reconnaissance and techniques such as T1078 (Valid Accounts) and T1595 (Active Scanning).

  • Entity Mapping: It maps the detected user to an account entity for further investigation.

Overall, this query helps in identifying potential security threats by monitoring for unusual patterns in Intune-related failures for individual users.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneOperationalLogs

Keywords

IntuneUserDevicesEnrollmentCheckInMDMPolicyAzureADAccount

Operators

let>ago=~orhas_anyextendparse_jsontolowercoalescetostringcolumn_ifexistsisnotemptysummarizecountmake_setminmaxby>=

Actions