Query Details

Intune - Wipe or Retire action on managed device

Intune Wipe Retire Activity

Query

IntuneAuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("wipe","retire","freshStart","delete","eraseDevice","remoteLock","resetPasscode","disable")
| where Category =~ "DeviceActions" or OperationName has "ManagedDevice"
| extend Props = parse_json(tostring(Properties))
| extend Actor      = tostring(Identity)
| extend TargetId   = tostring(Props.TargetObjectId)
| extend TargetName = tostring(Props.TargetDisplayName)
| where isnotempty(Actor)
| summarize Count = count(), Devices = make_set(TargetName, 50), Operations = make_set(OperationName, 20),
            FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
        by Actor
| extend AccountCustomEntity = Actor

Explanation

This query is designed to monitor and detect potentially malicious administrative actions on devices managed by Microsoft Intune. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies actions such as "wipe," "retire," "fresh-start," or "delete" performed on Intune-managed devices. These actions are considered destructive and could be used by attackers who have gained unauthorized access to Intune Administrator or Global Administrator credentials.

  2. Data Source: It uses data from the IntuneAuditLogs within Azure Monitor.

  3. Frequency and Period: The query runs every 15 minutes and looks at data from the past hour.

  4. Severity: The alert generated by this query is marked as "High" severity, indicating the potential for significant impact.

  5. Detection Logic:

    • It filters logs from the last hour for specific operations related to device management.
    • It checks if these operations are categorized under "DeviceActions" or involve "ManagedDevice."
    • It extracts and organizes relevant information such as the actor (who performed the action), the target device's ID and name, and the operations performed.
  6. Output: The query summarizes the data by counting the number of actions, listing the devices affected, and noting the first and last time these actions were seen. It groups this information by the actor responsible for the actions.

  7. Entity Mapping: The query maps the actor to an account entity for further analysis.

  8. Tactics and Techniques: It aligns with the tactics of "Impact" and "Defense Evasion" and is related to techniques T1485 (Data Destruction) and T1531 (Account Access Removal).

In essence, this query helps in identifying and alerting on suspicious or unauthorized destructive actions on corporate devices, which could indicate a security breach or malicious intent.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneDevicesAdministratorTokensCorporateLogsOperationsAccount

Operators

IntuneAuditLogswhereagohas_anyhas=~extendparse_jsontostringisnotemptysummarizecountmake_setminmaxby

Severity

High

Tactics

ImpactDefenseEvasion

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub