Intune - Wipe or Retire action on managed device
Intune Wipe Retire Activity
Query
IntuneAuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("wipe","retire","freshStart","delete","eraseDevice","remoteLock","resetPasscode","disable")
| where Category =~ "DeviceActions" or OperationName has "ManagedDevice"
| extend Props = parse_json(tostring(Properties))
| extend Actor = tostring(Identity)
| extend TargetId = tostring(Props.TargetObjectId)
| extend TargetName = tostring(Props.TargetDisplayName)
| where isnotempty(Actor)
| summarize Count = count(), Devices = make_set(TargetName, 50), Operations = make_set(OperationName, 20),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by Actor
| extend AccountCustomEntity = ActorExplanation
This query is designed to monitor and detect potentially malicious administrative actions on devices managed by Microsoft Intune. Here's a simple breakdown of what it does:
-
Purpose: The query identifies actions such as "wipe," "retire," "fresh-start," or "delete" performed on Intune-managed devices. These actions are considered destructive and could be used by attackers who have gained unauthorized access to Intune Administrator or Global Administrator credentials.
-
Data Source: It uses data from the
IntuneAuditLogswithin Azure Monitor. -
Frequency and Period: The query runs every 15 minutes and looks at data from the past hour.
-
Severity: The alert generated by this query is marked as "High" severity, indicating the potential for significant impact.
-
Detection Logic:
- It filters logs from the last hour for specific operations related to device management.
- It checks if these operations are categorized under "DeviceActions" or involve "ManagedDevice."
- It extracts and organizes relevant information such as the actor (who performed the action), the target device's ID and name, and the operations performed.
-
Output: The query summarizes the data by counting the number of actions, listing the devices affected, and noting the first and last time these actions were seen. It groups this information by the actor responsible for the actions.
-
Entity Mapping: The query maps the actor to an account entity for further analysis.
-
Tactics and Techniques: It aligns with the tactics of "Impact" and "Defense Evasion" and is related to techniques T1485 (Data Destruction) and T1531 (Account Access Removal).
In essence, this query helps in identifying and alerting on suspicious or unauthorized destructive actions on corporate devices, which could indicate a security breach or malicious intent.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h