KQL Search

Query Details

Non Compliant Access

Query

id: 7b8c9d10-aaaa-4001-8001-000000000003
name: HUNT - Non-compliant devices still accessing corporate apps
description: |
  Lists devices currently in a non-compliant / error / unknown state that nevertheless
  produced successful sign-ins to corporate apps. Indicates CA gaps or compliance bypass.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneDeviceComplianceOrg
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
  let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
  let bad =
      IntuneDeviceComplianceOrg
      | where TimeGenerated > ago(1d)
      | where ComplianceState in~ ("NonCompliant","Error","Unknown","InGracePeriod")
      | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
      | project DeviceId, DeviceName = tostring(DeviceName), ComplianceState,
                UPN = tolower(tostring(UPN));
  SigninLogs
  | where TimeGenerated > ago(1d) and ResultType == 0
  | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
  | extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
  | join kind=inner bad on DeviceId
  | summarize SignIns = count(), Apps = make_set(AppDisplayName, 20),
              IPs = make_set(IPAddress, 20)
            by UPN, DeviceId, DeviceName, ComplianceState
  | order by SignIns desc
version: 1.0.0

Explanation

This query is designed to identify devices that are not compliant with corporate policies but are still successfully accessing corporate applications. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to find devices that are in a non-compliant, error, unknown, or grace period state but have successfully signed into corporate applications. This can indicate potential security gaps or compliance bypasses.

  2. Data Sources:

    • It uses data from Intune logs to check device compliance status.
    • It uses Azure Active Directory sign-in logs to track successful sign-ins.

  3. Process:

    • It first retrieves a list of IP ranges that are allowed (from a watchlist called 'NetworkAllowlist').
    • It then identifies devices that have been non-compliant in the last day.
    • It checks for successful sign-ins (ResultType == 0) in the last day from IP addresses not in the allowed list.
    • It matches these sign-ins with the non-compliant devices.

  4. Output:

    • The result is a list of user principal names (UPNs), device IDs, device names, and compliance states.
    • It also includes the number of sign-ins, the applications accessed, and the IP addresses used.
    • The results are ordered by the number of sign-ins, showing the most frequent offenders first.

  5. Security Implication: This query highlights potential security issues where non-compliant devices are accessing corporate resources, suggesting a need for reviewing conditional access policies or compliance checks.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDeviceComplianceOrgSigninLogs

Keywords

DevicesIntuneUserComplianceAppsNetworkIPAddressTimeGeneratedDeviceNameComplianceStateUPNDeviceIdUserPrincipalNameSignInsAppDisplayName

Operators

letprojecttoscalarsummarizemake_listwherein~arg_maxtoloweragoandnotipv4_is_in_any_rangetostringextendjoinkind=innermake_setbyorder bydesc

Actions