KQL Search

Query Details

Intune Operational Failures By Reason

Query

id: 7b8c9d10-aaaa-4001-8001-00000000000C
name: HUNT - Intune operational errors grouped by reason
description: |
  Groups IntuneOperationalLogs failures by Category, OperationName, and ResultReason to surface
  recurrent enrollment, check-in, or app-install failures. Repeated failures on a specific reason
  can indicate mis-configured policies, tenant throttling, or adversary enrollment fuzzing.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneOperationalLogs
tactics:
  - Reconnaissance
relevantTechniques:
  - T1595
query: |
  IntuneOperationalLogs
  | where TimeGenerated > ago(1d)
  | where Result =~ "Failure"
  | extend Props = parse_json(tostring(Properties))
  | extend UPN = tolower(coalesce(tostring(Props.Upn), tostring(Props.UserPrincipalName)))
  | summarize Count = count(),
              UniqueUsers = dcount(UPN),
              Users = make_set(UPN, 25),
              Sample = any(Props)
            by Category, OperationName, ResultReason = tostring(coalesce(ResultReason, tostring(Props.ResultReason)))
  | order by Count desc
version: 1.0.0

Explanation

This query is designed to analyze and summarize failure events from Intune Operational Logs over the past day. Here's a simple breakdown of what it does:

  1. Data Source: It uses data from IntuneOperationalLogs, which are logs related to Microsoft Intune operations.

  2. Time Frame: It focuses on logs generated in the last 24 hours.

  3. Failure Filtering: It filters the logs to only include those where the result is a "Failure".

  4. Data Extraction: It extracts and processes additional properties from the logs, such as the User Principal Name (UPN), converting it to lowercase for consistency.

  5. Grouping and Summarization:

    • It groups the failure events by their category, the operation name, and the reason for the result.
    • For each group, it calculates:
      • The total number of failures (Count).
      • The number of unique users affected (UniqueUsers).
      • A set of up to 25 unique user principal names (Users).
      • A sample of the properties for one of the failures (Sample).

  6. Ordering: The results are ordered by the count of failures in descending order, highlighting the most frequent issues.

  7. Purpose: The query aims to identify patterns in Intune failures, which could indicate issues like misconfigured policies, tenant throttling, or potential security threats (e.g., adversary enrollment fuzzing).

Overall, this query helps in recognizing and diagnosing recurring operational errors in Intune, aiding in troubleshooting and security assessments.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneOperationalLogs

Keywords

IntuneOperationalLogsCategoryOperationNameResultReasonPropertiesUpnUserPrincipalNameUsersSampleCountUniqueUsers

Operators

IntuneOperationalLogswhere>ago=~extendparse_jsontostringtolowercoalescesummarizecountdcountmake_setanybyorder bydesc

Actions