← Back to SOC feed Coverage →

insider-threat-detection-queries (18)

kql MEDIUM Azure-Sentinel
EmailAttachmentInfoEmailEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-23T03:15:01Z · Confidence: medium

Hunt Hypothesis

Users with administrative privileges accessing sensitive data repositories at unusual times may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.

KQL Query

//Reference: https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Lateral%20Movement/ServiceAccountsPerformingRemotePS.txt
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Outbound Email with Attachments of Interest
//
// This snippet looks for anyone sending code as an attachment based on
// extension.  A more advanced version would use depend on DLP to determine
// attachment type and indicate as a potential field in EmailAttachmentInfo
//
// whitelist any senders
let okaySenders = dynamic(["[email protected]"]);
//
let eattach = EmailAttachmentInfo
| where SenderFromAddress !in (okaySenders)
| project Timestamp, FileName, SenderFromAddress, NetworkMessageId
// add list of extensions relevant to your organization
| where FileName endswith ".cs" or
        FileName endswith ".c" or
        FileName endswith ".h" or
        FileName endswith ".hpp" or
        FileName endswith ".hxx" or
        FileName endswith ".cpp" or
        FileName endswith ".hh" or
        FileName endswith ".cpp" or
        FileName endswith ".cc" or
        FileName endswith ".cxx" or
        FileName endswith ".py";
// get the emails associated with attachements
eattach
| join EmailEvents on NetworkMessageId
// Remove (or change) this line for email direction
| where DeliveryLocation == "On-premises/external"
//
// report stats
// include this line if you want just summary of how often it occurs
//| summarize outbound_emails_with_attachments=count()
// or include this line if you want to know per sender
//| summarize outbound_emails_with_attachments=count() by SenderFromAddress

Analytic Rule Definition

id: 8ba93e9e-ea27-4b2f-9bb4-b458bc3e42e8
name: insider-threat-detection-queries (18)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailAttachmentInfo
  - EmailEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
  //Reference: https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Lateral%20Movement/ServiceAccountsPerformingRemotePS.txt
  // --------------------------------------------------------------------------------------------------------------------------- //
  //
  //Outbound Email with Attachments of Interest
  //
  // This snippet looks for anyone sending code as an attachment based on
  // extension.  A more advanced version would use depend on DLP to determine
  // attachment type and indicate as a potential field in EmailAttachmentInfo
  //
  // whitelist any senders
  let okaySenders = dynamic(["[email protected]"]);
  //
  let eattach = EmailAttachmentInfo
  | where SenderFromAddress !in (okaySenders)
  | project Timestamp, FileName, SenderFromAddress, NetworkMessageId
  // add list of extensions relevant to your organization
  | where FileName endswith ".cs" or
          FileName endswith ".c" or
          FileName endswith ".h" or
          FileName endswith ".hpp" or
          FileName endswith ".hxx" or
          FileName endswith ".cpp" or
          FileName endswith ".hh" or
          FileName endswith ".cpp" or
          FileName endswith ".cc" or
          FileName endswith ".cxx" or
          FileName endswith ".py";
  // get the emails associated with attachements
  eattach
  | join EmailEvents on NetworkMessageId
  // Remove (or change) this line for email direction
  | where DeliveryLocation == "On-premises/external"
  //
  // report stats
  // include this line if you want just summary of how often it occurs
  //| summarize outbound_emails_with_attachments=count()
  // or include this

Required Data Sources

Sentinel TableNotes
EmailAttachmentInfoEnsure this data connector is enabled
EmailEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (18).yaml