Users with elevated privileges may exfiltrate sensitive data through Azure Storage Blob access, indicating potential insider threat activity that requires proactive monitoring to identify and mitigate unauthorized data transfers. SOC teams should hunt for this behavior to detect early signs of data leakage and prevent potential breaches within their Azure Sentinel environment.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
// Concealment (Create/Delete Backdoor Account)
DeviceEvents
| where ActionType == "UserAccountCreated"
id: e86221a2-7961-440a-a759-8c7a1fbe40b2
name: insider-threat-detection-queries (12)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
// Concealment (Create/Delete Backdoor Account)
DeviceEvents
| where ActionType == "UserAccountCreated"
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing routine maintenance and uses the Microsoft Graph API to retrieve user activity logs for audit purposes.
Filter/Exclusion: Exclude requests made by users with the “Global Administrator” role or those associated with the Microsoft Graph API endpoint (/users/activityLogs).
Scenario: A scheduled job runs nightly to archive old user data using Azure Data Factory, which temporarily increases data access activity.
Filter/Exclusion: Exclude activity from known scheduled jobs (e.g., ArchiveOldDataJob) or filter by Azure resource group associated with data archival tasks.
Scenario: An IT support technician is using the Microsoft Endpoint Manager (Intune) console to deploy a policy update to all devices, which triggers multiple device access events.
Filter/Exclusion: Exclude events originating from the Intune service or users with the “Intune Administrator” role.
Scenario: A developer is using the Azure CLI to debug a script that interacts with Azure Blob Storage, leading to temporary access to storage accounts.
Filter/Exclusion: Exclude activity from the Azure CLI tool or filter by the specific storage account names used in development environments.
Scenario: A user is using the Microsoft 365 Compliance Center to review eDiscovery cases, which involves querying and accessing various mailbox and file data.
Filter/Exclusion: Exclude activity from users with the “eDiscovery Manager” role or filter by the Compliance Center service endpoint.