Users with administrative privileges accessing sensitive data outside of normal business hours may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//Backdoor Account Usage
//
//Look for newly created local accounts that log in within 30 minutes
DeviceEvents
| where ActionType == "UserAccountCreated"
| project DeviceId , AccountName, Start=Timestamp
| join kind=inner
(
DeviceLogonEvents
| project AccountName, DeviceId, End=Timestamp
) on AccountName
| where (End - Start) between (0min.. 30min)
//Reference https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Persistence/Create%20account.txt
id: a358a812-0e1b-4cbb-a91c-0bb1dbd3ea13
name: insider-threat-detection-queries (19)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceLogonEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//Backdoor Account Usage
//
//Look for newly created local accounts that log in within 30 minutes
DeviceEvents
| where ActionType == "UserAccountCreated"
| project DeviceId , AccountName, Start=Timestamp
| join kind=inner
(
DeviceLogonEvents
| project AccountName, DeviceId, End=Timestamp
) on AccountName
| where (End - Start) between (0min.. 30min)
//Reference https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Persistence/Create%20account.txt
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing routine maintenance using PowerShell scripts to clean up temporary files.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or from known maintenance directories (e.g., C:\Windows\Temp, C:\Temp).
Scenario: A developer is using SQL Server Management Studio (SSMS) to run automated database backups as part of a scheduled job.
Filter/Exclusion: Exclude queries executed by the SQL Server Agent or from scheduled jobs in SQL Server.
Scenario: A DevOps engineer is using Ansible to deploy configuration changes across multiple servers, which includes modifying system configurations.
Filter/Exclusion: Exclude Ansible playbook executions or tasks that modify system configurations, especially those initiated by Ansible Tower or Control Nodes.
Scenario: A database administrator is using MySQL Workbench to run performance tuning queries during off-peak hours.
Filter/Exclusion: Exclude queries executed during non-business hours or by users with DBA roles in MySQL.
Scenario: A user is using Power Automate to automate data transfers between on-premises and cloud systems.
Filter/Exclusion: Exclude flows initiated by Power Automate or Microsoft Flow and executed by users with automation privileges.