Adversaries may use cross workspace queries to exfiltrate data or move laterally across environments, leveraging T1530, T1213, and T1020 techniques to gather information and escalate privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential lateral movement and data exfiltration attempts early.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 30d;
let threshold = 0;
LAQueryLogs
| where TimeGenerated between (lookback..starttime)
| mv-expand(RequestContext)
| extend RequestContextExtended = split(RequestTarget, "/")
| extend Subscription = tostring(RequestContextExtended[2]), ResourceGroups = tostring(RequestContextExtended[4]), Workspace = tostring(RequestContextExtended[8])
| summarize count(), HistWorkspaceCount=dcount(Workspace) by AADEmail
| join (
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| mv-expand(RequestContext)
| extend RequestContextExtended = split(RequestTarget, "/")
| extend Subscription = tostring(RequestContextExtended[2]), ResourceGroups = tostring(RequestContextExtended[4]), Workspace = tostring(RequestContextExtended[8])
| summarize make_set(Workspace), count(), CurrWorkspaceCount=dcount(Workspace) by AADEmail
) on AADEmail
| where CurrWorkspaceCount > HistWorkspaceCount
// Uncomment follow rows to see queries made by these users
//| join (
//LAQueryLogs
//| where TimeGenerated between(starttime..endtime)
//on AADEmail
//| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: 8f18c6ea-fcd0-4d9a-a8fd-19a6aaa1660c
name: Cross workspace query anomolies
description: |
'This hunting query looks for increases in the number of workspaces queried by a user.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1213
- T1020
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 30d;
let threshold = 0;
LAQueryLogs
| where TimeGenerated between (lookback..starttime)
| mv-expand(RequestContext)
| extend RequestContextExtended = split(RequestTarget, "/")
| extend Subscription = tostring(RequestContextExtended[2]), ResourceGroups = tostring(RequestContextExtended[4]), Workspace = tostring(RequestContextExtended[8])
| summarize count(), HistWorkspaceCount=dcount(Workspace) by AADEmail
| join (
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| mv-expand(RequestContext)
| extend RequestContextExtended = split(RequestTarget, "/")
| extend Subscription = tostring(RequestContextExtended[2]), ResourceGroups = tostring(RequestContextExtended[4]), Workspace = tostring(RequestContextExtended[8])
| summarize make_set(Workspace), count(), CurrWorkspaceCount=dcount(Workspace) by AADEmail
) on AADEmail
| where CurrWorkspaceCount > HistWorkspaceCount
// Uncomment follow rows to see queries made by these users
//| join (
//LAQueryLogs
//| where TimeGenerated between(starttime..endtime)
//on AADEmail
//| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Microsoft
categories:
domains: [ "Security - Threat Protection" ]Scenario: A user is running a scheduled report using Power BI that queries multiple workspaces as part of a monthly data aggregation process.
Filter/Exclusion: Exclude queries initiated by scheduled tasks or services (e.g., process.name == "Power BI Report Server" or user.account_type == "service_account").
Scenario: An IT administrator is performing a routine audit using PowerShell to check workspace activity across the organization.
Filter/Exclusion: Exclude queries originating from known admin accounts or scripts (e.g., user.account_id == "admin_account_id" or process.name == "powershell.exe").
Scenario: A data pipeline using Azure Data Factory is configured to pull data from multiple workspaces as part of an ETL process.
Filter/Exclusion: Exclude queries associated with known data integration tools (e.g., process.name == "AzureDataFactory.exe" or process.name == "sqlcmd.exe").
Scenario: A user is using PowerShell to automate the creation and management of workspaces during a migration task.
Filter/Exclusion: Exclude queries associated with migration tools or scripts (e.g., process.name == "powershell.exe" and user.device_name == "migration-server").
Scenario: A security analyst is using Splunk to query multiple workspaces to investigate a potential security incident.
Filter/Exclusion: Exclude queries initiated from security tools or by analysts (e.g., tool.name == "Splunk" or user.role == "security_analyst").