Users with administrative privileges accessing sensitive data repositories at unusual times may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Open Scanner Software
//
// Replace and extend with any desired .exes
let ScannerEXEs = pack_array ("WFS.exe");
DeviceProcessEvents
| where ProcessCommandLine has_any (ScannerEXEs) or FileName has_any (ScannerEXEs)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessParentFileName, ProcessCommandLine, InitiatingProcessCommandLine
id: 81881945-a4e5-44bd-b36f-8b5a90cfb073
name: insider-threat-detection-queries (14)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Open Scanner Software
//
// Replace and extend with any desired .exes
let ScannerEXEs = pack_array ("WFS.exe");
DeviceProcessEvents
| where ProcessCommandLine has_any (ScannerEXEs) or FileName has_any (ScannerEXEs)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessParentFileName, ProcessCommandLine, InitiatingProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs during off-hours to back up critical system files using MTP (Microsoft Threat Protection) capabilities.
Filter/Exclusion: Exclude activity related to known backup tools like Veeam Backup & Replication or Microsoft Azure Backup by checking the process name or command line arguments.
Scenario: Admin Task for Patch Management
Description: A system administrator uses MTP to monitor and manage patch deployment across endpoints, which may trigger alerts due to unusual access patterns.
Filter/Exclusion: Exclude activity from known admin tools like Microsoft Endpoint Manager (Intune) or Windows Server Update Services (WSUS) by checking the user context or process name.
Scenario: User-Initiated File Transfer
Description: An employee transfers large files between internal systems using MTP, which may be flagged as suspicious due to the volume or timing.
Filter/Exclusion: Exclude file transfers initiated by users with elevated privileges or using tools like Robocopy, rsync, or scp by checking the command-line arguments or source/destination paths.
Scenario: Log Collection and Monitoring Tool
Description: A security tool like Splunk or ELK Stack uses MTP to collect and analyze logs, which may trigger alerts due to high data transfer or access to sensitive directories.
Filter/Exclusion: Exclude activity from known log collection tools by checking the process name or using a whitelist of allowed IP addresses or user accounts.
Scenario: Automated Compliance Check
Description: A compliance tool runs an automated scan using MTP to check for policy violations, which may generate alerts due to the volume of access or data movement.
Filter/Exclusion: Exclude activity from known compliance tools like Microsoft Compliance Manager or **Palo