KQL Search

Query Details

Operational Errors By Category

Query

id: 7b8c9d10-aaaa-4001-8001-000000000009
name: HUNT - Intune operational errors by category
description: |
  Aggregates IntuneOperationalLogs failures (policy application errors, enrollment
  errors, app install errors). Spikes often precede compliance bypass or indicate
  misconfiguration that lowers the security posture.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneOperationalLogs
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  IntuneOperationalLogs
  | where TimeGenerated > ago(7d)
  | where tostring(Result) =~ "Failure"
  | extend Props = parse_json(tostring(Properties))
  | extend Reason = tostring(coalesce(tostring(Props.ResultReason),
                                     tostring(Props.ResultDescription),
                                     tostring(Props.ErrorDescription)))
  | summarize Count = count(),
              Examples = make_list(Reason, 5)
            by Category = tostring(Category), OperationName
  | order by Count desc
version: 1.0.0

Explanation

This query is designed to analyze and summarize operational errors from Intune, a Microsoft service for mobile device management. Here's a simple breakdown of what it does:

  1. Data Source: It uses data from the "IntuneOperationalLogs" provided by the Azure Monitor connector.

  2. Time Frame: The query looks at logs from the past 7 days.

  3. Filter: It specifically filters for logs where the result is marked as "Failure."

  4. Error Details: It extracts detailed error reasons from the log properties, such as the result reason or error description.

  5. Aggregation: The query counts the number of failures and lists up to five examples of error reasons for each category and operation name.

  6. Sorting: The results are sorted by the number of failures in descending order, highlighting the most frequent issues.

  7. Purpose: The query helps identify spikes in operational errors, which might indicate potential security issues or misconfigurations that could weaken security defenses.

Overall, this query is used for monitoring and identifying patterns in Intune operational errors to preemptively address security and compliance issues.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneOperationalLogs

Keywords

IntuneOperationalLogsPolicyApplicationErrorsEnrollmentErrorsAppInstallErrorsComplianceBypassMisconfigurationSecurityPostureAzureMonitorTimeGeneratedResultFailurePropertiesResultReasonResultDescriptionErrorDescriptionCountExamplesCategoryOperationNameVersion

Operators

whereagotostring=~extendparse_jsoncoalescesummarizecountmake_listbyorder bydesc

Actions