Accounts exhibiting alert activity within the last 3 days and within the past 6 hours may indicate coordinated or persistent adversary activity targeting that account. SOC teams should proactively hunt for this behavior to identify potential compromise or lateral movement attempts in their Azure Sentinel environment.
KQL Query
let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){
//-3d and +6h as some alerts fire after accumulation of events
let v_StartTime = suspiciousEventTime-3d;
let v_EndTime = suspiciousEventTime+6h;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| extend Extprop = parse_json(Entities)
| mv-expand Extprop
| extend Extprop = parse_json(Extprop)
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| where Account contains v_User
| extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
};
// change datetime value and username value below
GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("<username>"))
id: 3a72ba65-00fa-4bbc-b246-be1ff3f73ce1
name: Alerts related to account
description: |
'Any Alerts that fired related to a given account during the range of +6h and -3d'
requiredDataConnectors:
- connectorId: AzureSecurityCenter
dataTypes:
- SecurityAlert
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
tactics:
- Persistence
- Discovery
- LateralMovement
- Collection
query: |
let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){
//-3d and +6h as some alerts fire after accumulation of events
let v_StartTime = suspiciousEventTime-3d;
let v_EndTime = suspiciousEventTime+6h;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| extend Extprop = parse_json(Entities)
| mv-expand Extprop
| extend Extprop = parse_json(Extprop)
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| where Account contains v_User
| extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
};
// change datetime value and username value below
GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("<username>"))
| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup job that temporarily creates and deletes temporary accounts.
Filter/Exclusion: Exclude accounts flagged as temporary or with a specific naming convention (e.g., backup_ or temp_).
Scenario: A user is using a third-party identity management tool (e.g., Okta or Azure AD) to synchronize user accounts, which triggers account-related alerts during sync.
Filter/Exclusion: Exclude accounts associated with known identity providers or use a field like source_system to filter out synchronization events.
Scenario: A security analyst is manually reviewing account activity via a SIEM tool (e.g., Splunk or ELK) and triggers alerts due to manual query execution.
Filter/Exclusion: Exclude events where the source is a SIEM or log analysis tool, or filter by user agent or IP address associated with the analyst’s workstation.
Scenario: A scheduled job (e.g., using Ansible or Puppet) is provisioning new user accounts during a routine system update.
Filter/Exclusion: Exclude accounts created within a specific time window (e.g., during a known maintenance window) or filter by the job name or script identifier.
Scenario: An automated account lockout remediation tool (e.g., Microsoft Azure AD Password Reset) temporarily locks and unlocks accounts, triggering alerts.
Filter/Exclusion: Exclude events where the action is unlock or reset, or filter by the tool’s unique identifier or process name.