Users with administrative privileges accessing sensitive data repositories at unusual times may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Service Account Use
//
let ServiceAccountPrefix = pack_array( // Declare Account Prefix to identify Service Accounts
'_',
'svc',
'service'
);
let InteractiveTypes = pack_array( // Declare Interactive logon type names
'Interactive',
'CachedInteractive',
'Unlock',
'RemoteInteractive',
'CachedRemoteInteractive',
'CachedUnlock'
);
let WhitelistedAccounts = pack_array(
'WhitelistAccount1',
'WhitelistAccount2'
); // List of accounts that match criteria but are able to logon interactively
DeviceLogonEvents // Get all logon events...
| where AccountName !in~ (WhitelistedAccounts) // ...where it is not a whitelisted account...
| where ActionType == "LogonSuccess" // ...and the logon was successful...
| where AccountName !contains "$" // ...and not a machine logon. . .
| where AccountName startswith ServiceAccountPrefix // ...and not a machine logon. . .
| where LogonType in (InteractiveTypes) // Determine if the logon is interactive (True=1,False=0)...
id: b2ef671b-57c1-4660-9247-9e88e5e0a16d
name: insider-threat-detection-queries (17)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Service Account Use
//
let ServiceAccountPrefix = pack_array( // Declare Account Prefix to identify Service Accounts
'_',
'svc',
'service'
);
let InteractiveTypes = pack_array( // Declare Interactive logon type names
'Interactive',
'CachedInteractive',
'Unlock',
'RemoteInteractive',
'CachedRemoteInteractive',
'CachedUnlock'
);
let WhitelistedAccounts = pack_array(
'WhitelistAccount1',
'WhitelistAccount2'
); // List of accounts that match criteria but are able to logon interactively
DeviceLogonEvents // Get all logon events...
| where AccountName !in~ (WhitelistedAccounts) // ...where it is not a whitelisted account...
| where ActionType == "LogonSuccess" // ...and the logon was successful...
| where AccountName !contains "$" // ...and not a machine logon. . .
| where AccountName startswith ServiceAccountPrefix // ...and not a machine logon. . .
| where LogonType in (InteractiveTypes) // Determine if the logon is interactive (True=1,False=0)...
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: System Backup Job Execution
Description: A scheduled backup job (e.g., using Veeam or Commvault) is executing and transferring large volumes of data across the network, which may trigger the rule due to high data transfer.
Filter/Exclusion: Exclude traffic associated with known backup tools (e.g., process.name: VeeamBackup or process.name: Commvault) or use a filter like process.name NOT IN ("Veeam", "Commvault", "rsync").
Scenario: Admin Task for Log Collection
Description: An administrator is using a tool like Splunk or ELK Stack to collect logs from multiple servers, which may be flagged as unusual data movement.
Filter/Exclusion: Exclude processes related to log collection tools (e.g., process.name: splunkforwarder or process.name: fluentd) or use a filter like process.name NOT IN ("splunkforwarder", "fluentd", "logstash").
Scenario: Database Maintenance Task
Description: A database administrator is running a maintenance task (e.g., using mysqldump or pg_dump) to export or archive data, which may be flagged as potential data exfiltration.
Filter/Exclusion: Exclude known database maintenance tools (e.g., process.name: mysqldump or process.name: pg_dump) or use a filter like process.name NOT IN ("mysqldump", "pg_dump", "sqlcmd").
Scenario: User-Initiated File Transfer
Description: A user is transferring files between internal systems using a tool like WinSCP or FileZilla, which may be flagged as suspicious data movement.
Filter/Exclusion: Exclude known file transfer tools (e.g., process.name: WinSCP