| ID | Technique | Tactic |
|---|---|---|
| T1561.001 | Disk Content Wipe | Impact |
Detection: Microsoft Intune Bulk Wipe
Description
The following analytic detects a high volume of "wipe ManagedDevice" events from the Intune admin portal (5+ per hour by default). It leverages Intune audit logs to identify when this action is triggered. This activity is significant beacuse the "wipe ManagedDevice" action factory resets devices connected to your Microsoft Intune tenant. If confirmed malicious, an attacker can abuse this action to perform a large-scale data wiping attack against your managed endpoints.
Search
1`azure_monitor_activity`
2operationName="wipe ManagedDevice"
3
4| rename identity as user
5 resultType as result
6
7| fillnull
8
9| table _time action command dest user src
10 vendor_account vendor_product change_type
11 properties.Targets.*
12
13
14| stats min(_time) as firstTime
15 max(_time) as lastTime
16 values(*) as *
17 count by user
18
19
20| where count >= 5
21
22| `security_content_ctime(firstTime)`
23
24| `security_content_ctime(lastTime)`
25
26| `microsoft_intune_bulk_wipe_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Azure Monitor Activity |  Azure |
'azure:monitor:activity' |
'Azure AD' |
Macros Used
| Name | Value |
|---|---|
| azure_monitor_activity | sourcetype=azure:monitor:activity |
| microsoft_intune_bulk_wipe_filter | search * |
microsoft_intune_bulk_wipe_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest Intune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. Deploy as an event-based detection rule for quick deployment. Adjust the count threshold according to expected activity in your environment.
Known False Positives
Legitimate adminstrative usage of the "wipe ManagedDevice" action might trigger this detection. This action is typically used for offboarding endpoints or in response to a lost or stolen device.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Bulk wipe action executed by user $user$ on $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 50 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | Azure AD |
azure:monitor:activity |
| Integration | ✅ Passing | Dataset | Azure AD |
azure:monitor:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1