LoFP / legitimate adminstrative usage of the \"wipe manageddevice\" action might trigger this detection. this action is typically used for offboarding endpoints or in response to a lost or stolen device.

Techniques

• T1561.001

Sample rules

Microsoft Intune Bulk Wipe

• source: splunk
• technicques:
  • T1561.001

Description

The following analytic detects a high volume of “wipe ManagedDevice” events from the Intune admin portal (5+ per hour by default). It leverages Intune audit logs to identify when this action is triggered. This activity is significant beacuse the “wipe ManagedDevice” action factory resets devices connected to your Microsoft Intune tenant. If confirmed malicious, an attacker can abuse this action to perform a large-scale data wiping attack against your managed endpoints.

Detection logic

`azure_monitor_activity`
operationName="wipe ManagedDevice"

| rename identity as user
         resultType as result

| fillnull

| table _time action command dest user src
        vendor_account vendor_product change_type
        properties.Targets.*


| stats min(_time) as firstTime
        max(_time) as lastTime
        values(*) as *
  count by user


| where count >= 5

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `microsoft_intune_bulk_wipe_filter`