EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Microsoft Intune Mobile Apps

Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. This detection identifies when a new packaged application has been added, updated or deleted.

MITRE ATT&CK

T1072T1021.007T1202T1105
lateral-movement

Detection Query

`azure_monitor_activity` operationName="*MobileApp*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_mobile_apps_filter`

Author

Dean Luxton

Created

2026-02-25

Data Sources

Azure Monitor Activity

References

Tags

Azure Active Directory Account Takeover
Raw Content
name: Microsoft Intune Mobile Apps
id: 98e6b389-2806-4426-a580-8a92cb0d9710
version: 4
date: '2026-02-25'
author: Dean Luxton
status: experimental
type: Hunting
description: |
    Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices.
    This detection identifies when a new packaged application has been added, updated or deleted.
data_source:
    - Azure Monitor Activity
search: |
    `azure_monitor_activity` operationName="*MobileApp*"
    | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
    | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
    | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
    | `microsoft_intune_mobile_apps_filter`
how_to_implement: |
    The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.
    To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
    Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly.
known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection.
references:
    - https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
    - https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
    - https://posts.specterops.io/maestro-9ed71d38d546
tags:
    analytic_story:
        - Azure Active Directory Account Takeover
    asset_type: Azure Tenant
    mitre_attack_id:
        - T1072
        - T1021.007
        - T1202
        - T1105
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: audit