Query Details
Intune Policy Tampering
Query
id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d505
name: Intune - Compliance or configuration policy modified or deleted
description: |
Detects modification or deletion of Intune device compliance policies, configuration profiles,
or Conditional Access device filters by non-privileged or newly elevated actors. Attackers may
weaken policies to allow non-compliant / rogue devices access to corporate resources.
severity: High
requiredDataConnectors:
- connectorId: AzureMonitor(IntuneLogs)
dataTypes:
- IntuneAuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1562
- T1484
query: |
let sensitiveOps = dynamic([
"Delete DeviceCompliancePolicy","Patch DeviceCompliancePolicy",
"Delete DeviceConfiguration","Patch DeviceConfiguration",
"Delete DeviceManagementConfigurationPolicy","Patch DeviceManagementConfigurationPolicy",
"Delete CompliancePolicyAssignment","Patch CompliancePolicyAssignment",
"Delete ConditionalAccessPolicy","Patch ConditionalAccessPolicy"
]);
IntuneAuditLogs
| where TimeGenerated > ago(1h)
| where OperationName in~ (sensitiveOps) or OperationName has_any ("Delete","Patch") and OperationName has_any ("Compliance","Configuration")
| extend Props = parse_json(tostring(Properties))
| extend TargetObjectName = tostring(Props.TargetObjectName),
TargetObjectType = tostring(Props.TargetObjectType),
ModifiedProperties = tostring(Props.ModifiedProperties)
| project TimeGenerated, Identity, OperationName, TargetObjectName, TargetObjectType, ModifiedProperties, ResultType
| extend AccountCustomEntity = tostring(Identity)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
Explanation
This query is designed to monitor and detect any unauthorized or suspicious changes to Intune device compliance policies, configuration profiles, or Conditional Access device filters. Here's a breakdown of what it does:
-
Purpose: It identifies modifications or deletions of important Intune policies by users who are either not privileged or have recently gained elevated access. This is crucial because attackers might try to weaken these policies to let non-compliant or rogue devices access corporate resources.
-
Severity: The alert is marked as "High" severity, indicating that any detected activity is considered a significant security risk.
-
Data Source: The query uses data from Azure Monitor, specifically focusing on Intune Audit Logs.
-
Frequency: The query runs every hour and looks back at the last hour of data to check for any suspicious activities.
-
Detection Logic:
- It defines a list of sensitive operations related to deleting or modifying compliance and configuration policies.
- It filters the Intune Audit Logs to find any operations that match these sensitive actions within the last hour.
- It extracts and displays relevant details such as the time of the operation, the identity of the user who performed it, the type of operation, and the target object involved.
-
Output: The query projects key information like the time of the operation, the user identity, the operation name, and details about the modified or deleted object. It also maps the user identity to an account entity for further analysis.
-
Security Tactics and Techniques: The query is associated with tactics like Defense Evasion and Impact, and it relates to specific techniques (T1562 and T1484) that describe how attackers might try to bypass security measures or impact system configurations.
Overall, this query helps security teams quickly identify and respond to potential security threats involving Intune policy changes.
Details
David Alonso
Released: April 22, 2026
Tables
Keywords
Operators