← Back to Explore
splunk_escuHunting
Microsoft Intune Device Health Scripts
Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. This detection identifies when a new device health script has been added, updated or deleted.
Detection Query
`azure_monitor_activity` operationName="*DeviceHealthScript*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId | `microsoft_intune_device_health_scripts_filter`Author
Dean Luxton
Created
2026-02-25
Data Sources
Azure Monitor Activity
References
Tags
Azure Active Directory Account Takeover
Raw Content
name: Microsoft Intune Device Health Scripts
id: 6fe42e07-15b1-4caa-b547-7885666cb1bd
version: 3
date: '2026-02-25'
author: Dean Luxton
data_source:
- Azure Monitor Activity
type: Hunting
status: production
description: >-
Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices.
This detection identifies when a new device health script has been added, updated or deleted.
search: >-
`azure_monitor_activity` operationName="*DeviceHealthScript*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_device_health_scripts_filter`
how_to_implement: >-
The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.
To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly.
known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection.
references:
- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
- https://posts.specterops.io/maestro-9ed71d38d546
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
- T1072
- T1021.007
- T1202
- T1105
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: audit
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
sourcetype: azure:monitor:activity
source: Azure AD