This rule detects a high volume of Intune device wipe actions (wipe ManagedDevice) triggered from the Intune administrative portal, using Azure Monitor activity logs. The Splunk search consumes Intune audit events, renames identity to user, and tables fields such as time, action, command, destination, source, and vendor data. It aggregates by user to calculate firstTime and lastTime and filters for users with a count of 5 or more events (threshold is configurable, default 5 per hour). The detection relies on the Intune audit trail to identify when a bulk wipe is initiated, which can reset managed devices and cause widespread data loss. Anomalous or mass wipe activity can indicate credential compromise or abuse of administrative privileges. The rule is designed to prompt investigation when multiple wipe actions occur in a short window, potentially indicating Automated or attacker-driven wiping. It uses a dedicated filter (microsoft_intune_bulk_wipe_filter) and ctime helpers to present readable timestamps. Operationally, the data source is Azure Monitor Activity, and the rule is intended to be deployed as a Splunk-based event-based detection rule after ingesting Intune audit logs via the Azure Event Hub. The recommendation is to adjust the threshold based on environment baseline and to correlate with sign-in activity, admin activity, and device inventory checks to reduce false positives. Prioritization and containment steps might include validating the legitimacy of wipe actions, confirming device ownership, and initiating protective controls if anomalous wipe patterns are observed. References and related detections emphasize that bulk wipe events are a high-severity indicator and should trigger incident response playbooks.