Users with administrative privileges accessing sensitive data outside of normal business hours may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Email to Competitor
//
let competitorDomains = pack_array("competitor", "company2");
EmailEvents
| where RecipientEmailAddress has_any (competitorDomains)
| project TimeEmail = Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, AccountName = tostring(split(SenderFromAddress, "@")[0]);
id: 5c01cfbf-c3b6-4840-bc3a-bffc810f5d03
name: insider-threat-detection-queries (10)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Email to Competitor
//
let competitorDomains = pack_array("competitor", "company2");
EmailEvents
| where RecipientEmailAddress has_any (competitorDomains)
| project TimeEmail = Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, AccountName = tostring(split(SenderFromAddress, "@")[0]);
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing routine maintenance and uses the Microsoft Graph API to retrieve user activity logs for audit purposes.
Filter/Exclusion: Exclude activity logs from users with the “Global Administrator” or “Security Administrator” role, or filter by specific API endpoints used for legitimate administrative tasks.
Scenario: A scheduled job runs nightly to archive old user data using Microsoft Purview or Azure Information Protection.
Filter/Exclusion: Exclude activity related to Microsoft Purview or Azure Information Protection tools, or filter by job names that match known archival or retention schedules.
Scenario: An IT support technician is using Microsoft Defender for Endpoint to investigate a potential security incident and is querying for suspicious file activity.
Filter/Exclusion: Exclude queries originating from user accounts with the “IT Support” or “Security Analyst” role, or filter by specific Defender for Endpoint tools and actions.
Scenario: A developer is using Azure DevOps to push code to a staging environment, which triggers a series of automated build and deployment tasks.
Filter/Exclusion: Exclude activity from Azure DevOps pipelines or user accounts associated with development teams, or filter by specific CI/CD tooling actions.
Scenario: A user is accessing sensitive data via Microsoft Power BI for reporting purposes, which may trigger data access alerts.
Filter/Exclusion: Exclude access from users with Power BI reporting privileges or filter by specific data sources and access patterns associated with legitimate reporting activities.