← Back to Explore
splunk_escuHunting
Microsoft Intune DeviceManagementConfigurationPolicies
Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. This functionality can also be abused to disable defences & evade detection. This detection identifies when a new device management configuration policy has been created.
Detection Query
`azure_monitor_activity` operationName="* DeviceManagementConfigurationPolicy*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | eval details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',": ") | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action | eval action=if(match(operationName ,"Assignment$"),"assigned",'action') | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details status tenantId correlationId | `microsoft_intune_devicemanagementconfigurationpolicies_filter`Author
Dean Luxton
Data Sources
Azure Monitor Activity
References
Raw Content
name: Microsoft Intune DeviceManagementConfigurationPolicies
id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c
version: 5
creation_date: '2025-01-06'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: Hunting
description: >-
Microsoft Intune device management configuration policies are a tool
administrators can use to remotely manage policies and settings on intune
managed devices. This functionality can also be abused to disable defences &
evade detection. This detection identifies when a new device management
configuration policy has been created.
data_source:
- Azure Monitor Activity
search: >-
`azure_monitor_activity` operationName="*
DeviceManagementConfigurationPolicy*" | rename identity as user,
properties.TargetObjectIds{} as TargetObjectId,
properties.TargetDisplayNames{} as TargetDisplayName,
properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | eval
details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',":
") | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with
"updated", "Create" with "created", "Delete", with "deleted", "assign", with
"assigned" IN action | eval action=if(match(operationName
,"Assignment$"),"assigned",'action') | table _time operationName action user
user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details
status tenantId correlationId |
`microsoft_intune_devicemanagementconfigurationpolicies_filter`
how_to_implement: >-
The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest
In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune
> Tenant administration > Diagnostic settings > Add diagnostic settings & send
events to the activity audit event hub. Deploy as a risk based alerting rule
for quick deployment or perform baselining & tune accordingly.
known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection.
references:
- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
- https://posts.specterops.io/maestro-9ed71d38d546
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
- T1072
- T1484
- T1021.007
- T1685
- T1686
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: audit
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
sourcetype: azure:monitor:activity
source: Azure AD
test_type: unit