Microsoft Intune device health scripts are administrative tools designed for remote management of devices in an enterprise environment. However, this functionality has potential misuse implications, as it may enable SYSTEM level code execution and facilitate lateral movement across devices managed by Intune. The detection rule tracks any changes associated with device health scripts—specifically when a script is added, updated, or deleted. By analyzing Azure Monitor Activity logs, this rule helps identify suspicious actions by monitoring the operation names that relate to such device health scripts. It employs a search query that captures relevant actions, categorizing them based on the verb associated with the operation to enhance visibility into administrative activity. The rule supports risk-based alerting which allows for timely detection of potential abuse scenarios and requires the proper setup of Azure EventHub for effective logging. While false positives may arise from legitimate administrative actions, understanding the context of these detections is crucial for accurate incident response.