insider-threat-detection-queries (1)

Hunt Hypothesis

Users with elevated privileges may exfiltrate sensitive data through Azure Storage Blob access patterns, indicating potential insider threat activity that could compromise organizational data integrity. Proactively hunting for such behavior in Azure Sentinel enables early detection of insider threats before significant data loss or damage occurs.

KQL Query

// --------------------------------------------------------------------------------------------------------------------------- //
//
//Zip/Encrypt Sensitive File
//
//This is using a very basic indicator of a "Confidential" document in that it must be stored in a folder named Confidential or Restricted
//Using the Information Protection tags (DeviceFileEvents: SensitivityLabel) might be a more appropriate 
 DeviceFileEvents 
| where
    InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
    and FolderPath matches regex ".*Confidential|Restricted.*" 
| project Timestamp, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessFileName, DeviceName

Analytic Rule Definition

id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
name: insider-threat-detection-queries (1)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
  // --------------------------------------------------------------------------------------------------------------------------- //
  //
  //Zip/Encrypt Sensitive File
  //
  //This is using a very basic indicator of a "Confidential" document in that it must be stored in a folder named Confidential or Restricted
  //Using the Information Protection tags (DeviceFileEvents: SensitivityLabel) might be a more appropriate 
   DeviceFileEvents 
  | where
      InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
      and FolderPath matches regex ".*Confidential|Restricted.*" 
  | project Timestamp, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessFileName, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Persistence
Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (1).yaml)

False Positive Guidance

Scenario: System Backup Job Execution
Description: A scheduled backup job (e.g., using Veeam Backup & Replication, Commvault, or Veritas NetBackup) is performing data transfer that matches the rule’s MTP (Multi-Tenant Processing) behavior.
Filter/Exclusion: Check for known backup processes using process.name or process.parent fields, and exclude processes associated with backup tools.
Scenario: Admin Task for Log Collection
Description: An admin is using a tool like Splunk, ELK Stack, or Graylog to collect logs from multiple systems, which may trigger MTP-related alerts.
Filter/Exclusion: Filter by user field to exclude admin accounts (e.g., root, admin, splunkadmin) or use process.name to exclude log collection tools.
Scenario: Data Migration Using ETL Tools
Description: A data migration task using ETL tools like Informatica, Talend, or Apache NiFi is transferring data between systems, which may be flagged as MTP activity.
Filter/Exclusion: Use process.name or process.args to identify ETL tool processes and exclude them from the alert.
Scenario: Regular System Monitoring with SIEM Tools
Description: A SIEM tool like Splunk, QRadar, or IBM Security Guardium is querying multiple systems for monitoring purposes, which could be mistaken for insider threat activity.
Filter/Exclusion: Filter by source or destination fields to exclude known SIEM tool IP addresses or hostnames.
Scenario: Database Maintenance Task
Description: A database maintenance task (e.g., using MySQL, PostgreSQL, or SQL Server) is performing data operations that