Users with administrative privileges accessing sensitive data repositories at unusual times may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//SSH Connection from untrusted Subnet
//
//Look for SSH connections *not* initiated from the "Management" subnet
let subnet = "xx.xx.xx.0"; // Adjust for your "Trusted" or "Management" subnet
DeviceNetworkEvents
| where RemotePort == 22 and LocalIP !contains (subnet)
id: de9a2aa6-ad31-4dd1-871a-2577e47ef586
name: insider-threat-detection-queries (11)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//SSH Connection from untrusted Subnet
//
//Look for SSH connections *not* initiated from the "Management" subnet
let subnet = "xx.xx.xx.0"; // Adjust for your "Trusted" or "Management" subnet
DeviceNetworkEvents
| where RemotePort == 22 and LocalIP !contains (subnet)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication
Filter/Exclusion: Exclude activities related to known backup tools (e.g., process.name: VeeamBackup or process.name: veeam)
Scenario: A developer is using PowerShell to automate a routine configuration update on a Windows server
Filter/Exclusion: Exclude PowerShell scripts associated with known DevOps tools (e.g., script.name: Update-Configuration.ps1 or process.name: powershell.exe with command_line: Update-Configuration)
Scenario: An IT admin is running a Windows Task Scheduler job to clean up temporary files
Filter/Exclusion: Exclude tasks with known cleanup names (e.g., task.name: Cleanup-TempFiles or task.name: DiskCleanup)
Scenario: A database administrator is using SQL Server Agent to run a maintenance job that rebuilds indexes
Filter/Exclusion: Exclude SQL Server Agent jobs with known maintenance names (e.g., job.name: RebuildIndexes or job.name: MaintenanceJob)
Scenario: A user is using AWS CLI to manage cloud resources, such as EC2 instances, during a routine infrastructure update
Filter/Exclusion: Exclude AWS CLI commands related to known infrastructure management tasks (e.g., command_line: aws ec2 describe-instances or command_line: aws ec2 start-instances)