Mass Wipe / Retire Device Action
Mass Wipe Or Retire Device Action
Query
let WipeThreashold = 5; // A normal engineer is not wiping more than 5 devices per hour. Can be adjusted for the environment.
IntuneAuditLogs
| where OperationName in('wipe ManagedDevice','retire ManagedDevice')
| where ResultType == 'Success'
| where isnotempty(Properties)
| extend Targets = extract_json("$.Targets", Properties, typeof(dynamic))
| extend TargetCount= array_length(Targets)
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend AccountObjectId = extract_json("$.ObjectId", Actor, typeof(guid))
| summarize TotalWipeOrRetireTargetCount=sum(TargetCount), TimeGenerated=min(TimeGenerated), Identity=min(Identity) by AccountObjectId
| where TotalWipeOrRetireTargetCount > WipeThreasholdAbout this query
Explanation
This query is designed to detect unusual activity related to the mass wiping or retiring of devices managed through Microsoft Intune. It focuses on identifying potential security threats, such as compromised admin accounts or malicious automation, that could lead to data destruction or denial of service by issuing a large number of device wipe or retire commands in a short period.
Key Points:
-
Purpose: The query aims to spot unusual spikes in device wipe or retire actions, which could indicate malicious activity or misuse of administrative privileges.
-
Techniques Involved:
- T1072 (Software Deployment Tools): Abuse of management tools to perform unauthorized actions.
- T1485 (Data Destruction): Using wipe/retire actions to destroy data or disrupt services.
-
Detection Criteria:
- The query looks for successful wipe or retire operations.
- It checks if the number of devices affected by these operations exceeds a predefined threshold (
WipeThreashold), which is set to 5 by default but can be adjusted based on normal operational activities.
-
Potential Indicators:
- Admin or service accounts performing bulk operations beyond normal levels.
- Use of special accounts (e.g., break-glass accounts) to disrupt device availability.
- Automated scripts or compromised credentials triggering mass actions.
-
Actionable Insights:
- If the threshold is exceeded, it may indicate a compromised user account or malicious activity.
- Suggested remediation includes marking the user as compromised or disabling the account to prevent further unauthorized actions.
-
Customization:
- Organizations should establish a baseline for legitimate bulk operations to fine-tune the
WipeThreasholdand avoid false positives.
- Organizations should establish a baseline for legitimate bulk operations to fine-tune the
This query helps security teams monitor and respond to potential threats involving the misuse of device management capabilities in Intune.
Details

Thomas Kurth
Released: January 4, 2026
Tables
Keywords
Operators