EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Microsoft Intune Mobile Apps

Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. This detection identifies when a new packaged application has been added, updated or deleted.

Detection Query

`azure_monitor_activity` operationName="*MobileApp*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_mobile_apps_filter`

Author

Dean Luxton

Data Sources

Azure Monitor Activity

References

Raw Content
name: Microsoft Intune Mobile Apps
id: 98e6b389-2806-4426-a580-8a92cb0d9710
version: 5
creation_date: '2025-01-06'
modification_date: '2026-05-13'
author: Dean Luxton
status: experimental
type: Hunting
description: |
    Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices.
    This detection identifies when a new packaged application has been added, updated or deleted.
data_source:
    - Azure Monitor Activity
search: |
    `azure_monitor_activity` operationName="*MobileApp*"
    | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
    | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
    | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
    | `microsoft_intune_mobile_apps_filter`
how_to_implement: |
    The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.
    To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
    Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly.
known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection.
references:
    - https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
    - https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
    - https://posts.specterops.io/maestro-9ed71d38d546
analytic_story:
    - Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
    - T1072
    - T1021.007
    - T1202
    - T1105
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: audit