KQL Search

Query Details

Intune Wipe Retire Activity

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d511
name: Intune - Wipe or Retire action on managed device
description: |
  Detects wipe, retire, fresh-start, or delete actions against Intune-managed devices recorded in
  IntuneAuditLogs. These are destructive admin operations abused by attackers with stolen Intune
  Administrator / Global Administrator tokens to disable corporate devices, cover tracks, or perform
  ransom-style lockouts.
severity: High
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Impact
  - DefenseEvasion
relevantTechniques:
  - T1485
  - T1531
query: |
  IntuneAuditLogs
  | where TimeGenerated > ago(1h)
  | where OperationName has_any ("wipe","retire","freshStart","delete","eraseDevice","remoteLock","resetPasscode","disable")
  | where Category =~ "DeviceActions" or OperationName has "ManagedDevice"
  | extend Props = parse_json(tostring(Properties))
  | extend Actor      = tostring(Identity)
  | extend TargetId   = tostring(Props.TargetObjectId)
  | extend TargetName = tostring(Props.TargetDisplayName)
  | where isnotempty(Actor)
  | summarize Count = count(), Devices = make_set(TargetName, 50), Operations = make_set(OperationName, 20),
              FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
          by Actor
  | extend AccountCustomEntity = Actor
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to monitor and detect potentially malicious administrative actions on devices managed by Microsoft Intune. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies actions such as "wipe," "retire," "fresh-start," or "delete" performed on Intune-managed devices. These actions are considered destructive and could be used by attackers who have gained unauthorized access to Intune Administrator or Global Administrator credentials.

  2. Data Source: It uses data from the IntuneAuditLogs within Azure Monitor.

  3. Frequency and Period: The query runs every 15 minutes and looks at data from the past hour.

  4. Severity: The alert generated by this query is marked as "High" severity, indicating the potential for significant impact.

  5. Detection Logic:

    • It filters logs from the last hour for specific operations related to device management.
    • It checks if these operations are categorized under "DeviceActions" or involve "ManagedDevice."
    • It extracts and organizes relevant information such as the actor (who performed the action), the target device's ID and name, and the operations performed.

  6. Output: The query summarizes the data by counting the number of actions, listing the devices affected, and noting the first and last time these actions were seen. It groups this information by the actor responsible for the actions.

  7. Entity Mapping: The query maps the actor to an account entity for further analysis.

  8. Tactics and Techniques: It aligns with the tactics of "Impact" and "Defense Evasion" and is related to techniques T1485 (Data Destruction) and T1531 (Account Access Removal).

In essence, this query helps in identifying and alerting on suspicious or unauthorized destructive actions on corporate devices, which could indicate a security breach or malicious intent.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneDevicesAdministratorTokensCorporateLogsOperationsAccount

Operators

IntuneAuditLogswhereagohas_anyhas=~extendparse_jsontostringisnotemptysummarizecountmake_setminmaxby

Actions