Query Details

Mass Wipe / Retire Device Action

Mass Wipe Or Retire Device Action

Query

let WipeThreashold = 5; // A normal engineer is not wiping more than 5 devices per hour. Can be adjusted for the environment.
IntuneAuditLogs 
| where OperationName in('wipe ManagedDevice','retire ManagedDevice')
| where  ResultType == 'Success'
| where isnotempty(Properties)
| extend Targets = extract_json("$.Targets", Properties, typeof(dynamic))
| extend TargetCount= array_length(Targets)
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend AccountObjectId = extract_json("$.ObjectId", Actor, typeof(guid))
| summarize TotalWipeOrRetireTargetCount=sum(TargetCount), TimeGenerated=min(TimeGenerated), Identity=min(Identity) by AccountObjectId
| where TotalWipeOrRetireTargetCount > WipeThreashold

About this query

Explanation

This query is designed to detect unusual activity related to the mass wiping or retiring of devices managed through Microsoft Intune. It focuses on identifying potential security threats, such as compromised admin accounts or malicious automation, that could lead to data destruction or denial of service by issuing a large number of device wipe or retire commands in a short period.

Key Points:

  1. Purpose: The query aims to spot unusual spikes in device wipe or retire actions, which could indicate malicious activity or misuse of administrative privileges.

  2. Techniques Involved:

    • T1072 (Software Deployment Tools): Abuse of management tools to perform unauthorized actions.
    • T1485 (Data Destruction): Using wipe/retire actions to destroy data or disrupt services.
  3. Detection Criteria:

    • The query looks for successful wipe or retire operations.
    • It checks if the number of devices affected by these operations exceeds a predefined threshold (WipeThreashold), which is set to 5 by default but can be adjusted based on normal operational activities.
  4. Potential Indicators:

    • Admin or service accounts performing bulk operations beyond normal levels.
    • Use of special accounts (e.g., break-glass accounts) to disrupt device availability.
    • Automated scripts or compromised credentials triggering mass actions.
  5. Actionable Insights:

    • If the threshold is exceeded, it may indicate a compromised user account or malicious activity.
    • Suggested remediation includes marking the user as compromised or disabling the account to prevent further unauthorized actions.
  6. Customization:

    • Organizations should establish a baseline for legitimate bulk operations to fine-tune the WipeThreashold and avoid false positives.

This query helps security teams monitor and respond to potential threats involving the misuse of device management capabilities in Intune.

Details

Thomas Kurth profile picture

Thomas Kurth

Released: January 4, 2026

Tables

IntuneAuditLogs

Keywords

DevicesIntuneUserAccountsAdminAutomationScriptsAPICredentialsDataDestructionDenialOfServiceManagementTools

Operators

letinwhere==isnotemptyextendextract_jsontypeofdynamicstringguidarray_lengthsummarizesumminby>

MITRE Techniques

Actions

GitHub