KQL Search

Query Details

Mass Device Enrollment

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d502
name: Intune - Mass device enrollment spike by single user
description: |
  Detects a single user enrolling an unusually high number of devices in a short window,
  a pattern consistent with automated enrollment abuse (ROADtools `roadtx device`,
  AADInternals `Join-AADIntDeviceToAzureAD`) to create attacker-controlled trusted devices.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
      - IntuneDevices
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
  - InitialAccess
relevantTechniques:
  - T1098.005
  - T1078.004
query: |
  let window = 1h;
  let baseline =
      IntuneAuditLogs
      | where TimeGenerated between (ago(14d) .. ago(1h))
      | where OperationName has "enroll"
      | summarize BaselineCount = count() by Identity=tostring(Identity), bin_at = bin(TimeGenerated, 1h)
      | summarize BaseAvg = avg(BaselineCount), BaseStdev = stdev(BaselineCount) by Identity;
  IntuneAuditLogs
  | where TimeGenerated > ago(window)
  | where OperationName has "enroll"
  | summarize EnrollCount = count(),
              Devices = make_set(tostring(parse_json(tostring(Properties)).TargetObjectName), 50),
              FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
            by Identity=tostring(Identity)
  | join kind=leftouter baseline on Identity
  | extend Threshold = coalesce(BaseAvg, 0.0) + 3.0 * coalesce(BaseStdev, 1.0)
  | where EnrollCount >= 5 and EnrollCount > Threshold
  | extend AccountCustomEntity = Identity
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious activity related to device enrollments in Microsoft Intune. Specifically, it looks for instances where a single user enrolls an unusually high number of devices within a short time frame, which could indicate automated enrollment abuse by an attacker. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify potential security threats by detecting when a user enrolls many devices quickly, which might suggest unauthorized or automated actions.

  2. Data Source: It uses data from Intune audit logs, focusing on device enrollment activities.

  3. Time Frame: The query checks for unusual enrollment patterns over the past 14 days, analyzing data every hour.

  4. Baseline Calculation: It calculates a baseline average and standard deviation of enrollments for each user over the past 14 days, excluding the last hour.

  5. Current Activity Check: It then examines the last hour's data to see if any user has enrolled at least five devices and if this number exceeds the calculated threshold (baseline average plus three times the standard deviation).

  6. Alert Generation: If a user's enrollment count surpasses this threshold, it triggers an alert, indicating potential misuse.

  7. Severity and Tactics: The alert is classified as medium severity and relates to tactics like persistence and initial access, which are common in cyber attacks.

  8. Entity Mapping: The query maps the suspicious activity to the user's account for further investigation.

In summary, this query helps security teams identify and respond to potential threats by flagging unusual device enrollment patterns that could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntuneDevicesUserAccountIdentityPropertiesOperationNameTimeGenerated

Operators

letbetweenagohassummarizecounttostringbin_atbinavgstdevwheremake_setparse_jsonjoinkindleftouterextendcoalesce>=>

Actions