From aa0be12f57f9a37704888e6a1dc8f5d521858305 Mon Sep 17 00:00:00 2001 From: jakeenea51 Date: Sun, 29 Mar 2026 17:03:03 -0400 Subject: [PATCH 1/3] adding intune bulk wipe detection --- .../microsoft_intune_bulk_wipe_detected.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 detections/cloud/microsoft_intune_bulk_wipe_detected.yml diff --git a/detections/cloud/microsoft_intune_bulk_wipe_detected.yml b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml new file mode 100644 index 0000000000..851d69ae13 --- /dev/null +++ b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml @@ -0,0 +1,61 @@ +name: Microsoft Intune Bulk Wipe Detected +id: c3f48aa9-878e-443f-8889-e42a11a9bea9 +version: 1 +date: '2026-03-27' +author: Jake Enea +status: production +type: TTP +description: The following analytic detects a high volume of "wipe ManagedDevice" events from the Intune admin portal (5+ per hour by default). It leverages Intune audit logs to identify when this action is triggered. This activity is significant beacuse the "wipe ManagedDevice" action factory resets devices connected to your Microsoft Intune tenant. If confirmed malicious, an attacker can abuse this action to perform a large-scale data wiping attack against your managed endpoints. +data_source: +- Azure Monitor Activity +search: >- + `azure_monitor_activity` operationName="wipe ManagedDevice" + | rename identity as user, resultType as result + | table _time user tenantId signature result vendor_account vendor_product + | fillnull + | stats min(_time) as firstTime max(_time) as lastTime values(*) as * count by _time signature user tenantId vendor_account vendor_product + | where count >= 5 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `microsoft_intune_bulk_wipe_detected_filter` +how_to_implement: >- + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest Intune audit logs via Azure EventHub. + To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. + Deploy as an event-based detection rule for quick deployment. Adjust the count threshold according to expected activity in your environment. +known_false_positives: Legitimate adminstrative usage of the "wipe ManagedDevice" action might trigger this detection. This action is typically used for offboarding endpoints or in response to a lost or stolen device. +references: +- https://www.lumos.com/blog/stryker-hack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Bulk wipe action executed by user $user$ + risk_objects: + - field: user + type: user + score: 80 +tags: + asset_type: Azure Tenant + mitre_attack_id: + - T1561.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log + sourcetype: azure:monitor:activity + source: Azure AD \ No newline at end of file From f28dce196ce92e4202197246ae7b7be9568554c9 Mon Sep 17 00:00:00 2001 From: jakeenea51 Date: Mon, 30 Mar 2026 14:30:40 -0400 Subject: [PATCH 2/3] lowering risk score and adding sign-in logs drilldown --- .../microsoft_intune_bulk_wipe_detected.yml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/detections/cloud/microsoft_intune_bulk_wipe_detected.yml b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml index 851d69ae13..c287487fdf 100644 --- a/detections/cloud/microsoft_intune_bulk_wipe_detected.yml +++ b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects a high volume of "wipe ManagedDevice" events from the Intune admin portal (5+ per hour by default). It leverages Intune audit logs to identify when this action is triggered. This activity is significant beacuse the "wipe ManagedDevice" action factory resets devices connected to your Microsoft Intune tenant. If confirmed malicious, an attacker can abuse this action to perform a large-scale data wiping attack against your managed endpoints. data_source: -- Azure Monitor Activity + - Azure Monitor Activity search: >- `azure_monitor_activity` operationName="wipe ManagedDevice" | rename identity as user, resultType as result @@ -15,7 +15,7 @@ search: >- | fillnull | stats min(_time) as firstTime max(_time) as lastTime values(*) as * count by _time signature user tenantId vendor_account vendor_product | where count >= 5 - | `security_content_ctime(firstTime)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_intune_bulk_wipe_detected_filter` how_to_implement: >- @@ -24,38 +24,38 @@ how_to_implement: >- Deploy as an event-based detection rule for quick deployment. Adjust the count threshold according to expected activity in your environment. known_false_positives: Legitimate adminstrative usage of the "wipe ManagedDevice" action might trigger this detection. This action is typically used for offboarding endpoints or in response to a lost or stolen device. references: -- https://www.lumos.com/blog/stryker-hack + - https://www.lumos.com/blog/stryker-hack drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View sign-in activity +/-1 hour surrounding the detection for - "$user$" + search: '`azure_monitor_aad` category=SignInLogs properties.userPrincipalName="$user$"' + earliest_offset: 1h + latest_offset: 1h rba: - message: Bulk wipe action executed by user $user$ - risk_objects: - - field: user - type: user - score: 80 + message: Bulk wipe action executed by user $user$ + risk_objects: + - field: user + type: user + score: 50 tags: - asset_type: Azure Tenant - mitre_attack_id: - - T1561.001 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat + asset_type: Azure Tenant + mitre_attack_id: + - T1561.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log sourcetype: azure:monitor:activity - source: Azure AD \ No newline at end of file + source: Azure AD From 2f097ed5a09e6d50cd80b4c1b5ad2fbde05b7520 Mon Sep 17 00:00:00 2001 From: ljstella Date: Mon, 30 Mar 2026 15:43:41 -0400 Subject: [PATCH 3/3] Closer to building now --- detections/cloud/microsoft_intune_bulk_wipe_detected.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/detections/cloud/microsoft_intune_bulk_wipe_detected.yml b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml index c287487fdf..ef0da848d8 100644 --- a/detections/cloud/microsoft_intune_bulk_wipe_detected.yml +++ b/detections/cloud/microsoft_intune_bulk_wipe_detected.yml @@ -44,7 +44,10 @@ rba: - field: user type: user score: 50 + threat_objects: [] tags: + analytic_story: + - Azure Active Directory Account Takeover asset_type: Azure Tenant mitre_attack_id: - T1561.001