Name:Microsoft Intune DeviceManagementConfigurationPolicies id:3c49e5ed-625c-408c-a2c7-8e2b524efb2c version:1 date:2025-01-07 author:Dean Luxton status:production type:Hunting Description:Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. This functionality can also be abused to disable defences & evade detection. This detection identifies when a new device management configuration policy has been created. Data_source:
search:`azure_monitor_activity` operationName="* DeviceManagementConfigurationPolicy*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | eval details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',": ") | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action | eval action=if(match(operationName ,"Assignment$"),"assigned",'action') | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details status tenantId correlationId | `microsoft_intune_devicemanagementconfigurationpolicies_filter`
how_to_implement:The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. known_false_positives:Legitimate adminstrative usage of this functionality will trigger this detection. References: -https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d -https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ -https://posts.specterops.io/maestro-9ed71d38d546 drilldown_searches:
: tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Tenant confidence:40 impact:100 message:Intune device management policy $TargetObjectId$ has been $action$ by user $user$ mitre_attack_id: - 'T1072' - 'T1484' - 'T1021.007' - 'T1562.001' - 'T1562.004' observable: name:'user' type:'User' - role: - 'Victim' name:'TargetObjectId' type:'Other' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'operationName' - 'identity' - 'properties.TargetObjectIds{}' risk_score:40 security_domain:audit
