Query Details

Intune - MDM enrollment or check-in failure spike per user

Intune Operational Failure Spike

Query

let threshold = 15;
IntuneOperationalLogs
| where TimeGenerated > ago(30m)
| where Result =~ "Failure" or tostring(OperationName) has_any ("Enrollment","CheckIn","Sync")
| extend Props = parse_json(tostring(Properties))
| extend UPN = tolower(coalesce(tostring(Props.Upn), tostring(Props.UserPrincipalName), tostring(column_ifexists("Identity", ""))))
| extend Reason = tostring(coalesce(tostring(column_ifexists("ResultReason", "")), tostring(Props.ResultReason)))
| where isnotempty(UPN)
| summarize Failures = count(),
            Operations = make_set(OperationName, 20),
            Reasons    = make_set(Reason, 20),
            FirstSeen  = min(TimeGenerated),
            LastSeen   = max(TimeGenerated)
          by UPN
| where Failures >= threshold
| extend AccountCustomEntity = UPN

Explanation

This query is designed to detect unusual spikes in failures related to Intune enrollment or check-in for individual users. Here's a simplified breakdown:

  • Purpose: It identifies when a single user experiences an abnormal increase in failures during Intune enrollment or check-in processes. This could suggest potential security issues like unauthorized enrollment attempts or testing for weak configurations.

  • Severity: The alert is considered medium severity.

  • Data Source: It uses data from IntuneOperationalLogs, which are part of Azure Monitor's Intune logs.

  • Frequency and Duration: The query runs every 30 minutes and looks at data from the past 6 hours.

  • Trigger Condition: The alert triggers if there are more than 15 failures for a user within the specified time frame.

  • Analysis: The query checks for failure results in operations related to "Enrollment," "CheckIn," or "Sync." It collects details like the number of failures, types of operations, reasons for failures, and the time range of these events.

  • Output: If the number of failures exceeds the threshold, it flags the user (identified by their User Principal Name) as a potential issue.

  • Security Context: The query is associated with tactics like Initial Access and Reconnaissance and techniques such as T1078 (Valid Accounts) and T1595 (Active Scanning).

  • Entity Mapping: It maps the detected user to an account entity for further investigation.

Overall, this query helps in identifying potential security threats by monitoring for unusual patterns in Intune-related failures for individual users.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneOperationalLogs

Keywords

IntuneUserDevicesEnrollmentCheckInMDMPolicyAzureADAccount

Operators

let>ago=~orhas_anyextendparse_jsontolowercoalescetostringcolumn_ifexistsisnotemptysummarizecountmake_setminmaxby>=

Severity

Medium

Tactics

InitialAccessReconnaissance

MITRE Techniques

Frequency: 30m

Period: 6h

Actions

GitHub