Query Details
Intune Policy App Protection Tampering
Query
id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d512
name: Intune - App Protection / Configuration Policy tampered
description: |
Detects creation, deletion, or modification of Intune App Protection (MAM), Configuration,
or Compliance policies. Attackers with Intune Administrator rights modify policies to weaken
Conditional Access postures, relax jailbreak/rooted restrictions, or remove data-loss-prevention
requirements before exfiltrating data from managed apps.
severity: Medium
requiredDataConnectors:
- connectorId: AzureMonitor(IntuneLogs)
dataTypes:
- IntuneAuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1562
- T1484
query: |
IntuneAuditLogs
| where TimeGenerated > ago(1h)
| where Category in~ ("Compliance","DeviceConfiguration","ApplicationManagement","Enrollment")
| where OperationName has_any ("Policy","Configuration","Protection","ManagedAppPolicy","assignment","Assign")
| where OperationName has_any ("create","update","delete","patch","assign","remove")
| extend Props = parse_json(tostring(Properties))
| extend Actor = tostring(Identity)
| extend TargetName = tostring(Props.TargetDisplayName)
| extend PolicyType = tostring(Props.TargetObjectType)
| extend Modified = tostring(Props.ModifiedProperties)
| where isnotempty(Actor)
| project TimeGenerated, Actor, OperationName, Category, PolicyType, TargetName, Modified
| extend AccountCustomEntity = Actor
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
Explanation
This query is designed to monitor and detect any changes made to Intune App Protection, Configuration, or Compliance policies. It specifically looks for the creation, deletion, or modification of these policies, which could indicate that someone with Intune Administrator rights is attempting to weaken security measures. This could include relaxing restrictions on jailbroken or rooted devices, or removing data-loss-prevention requirements, potentially to exfiltrate data from managed apps.
Here's a breakdown of the key components:
- Purpose: To detect unauthorized or suspicious changes to Intune policies that could compromise security.
- Severity: The alert is classified as "Medium" severity.
- Data Source: It uses data from Intune Audit Logs via the Azure Monitor connector.
- Frequency: The query runs every hour and checks for changes within the past hour.
- Trigger: An alert is triggered if there is more than zero (i.e., any) suspicious activity detected.
- Tactics and Techniques: It relates to tactics like Defense Evasion and Impact, and techniques such as T1562 (Impair Defenses) and T1484 (Domain Policy Modification).
- Query Logic:
- It filters logs from the past hour related to compliance, device configuration, application management, and enrollment.
- It looks for operations involving policies, configurations, or protections that have been created, updated, deleted, patched, assigned, or removed.
- It extracts relevant details such as the actor (who made the change), the type of policy, and what was modified.
- Output: The query projects details like the time of the change, the actor, the operation name, category, policy type, target name, and what was modified.
- Entity Mapping: It maps the actor to an account entity for further investigation.
Overall, this query helps in identifying potential security risks by monitoring changes to critical Intune policies.
Details
David Alonso
Released: April 22, 2026
Tables
IntuneAuditLogs
Keywords
IntuneDevicesComplianceConfigurationApplicationManagementEnrollmentPolicyProtectionManagedAppPolicyAssignmentActorTargetNameModifiedAccount
Operators
IntuneAuditLogswhereagoin~has_anyextendparse_jsontostringisnotemptyproject