insider-threat-detection-queries (2)

Hunt Hypothesis

Users with administrative privileges accessing sensitive data outside of normal business hours may indicate potential insider threats, as such behavior could signal unauthorized data exfiltration or sabotage. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or operational disruptions.

KQL Query

// --------------------------------------------------------------------------------------------------------------------------- //
//
//Use of Steganography Application
//
// Extend stegnames array with know steganography tools
// We could also use the known hash for steganography tools and use those hashes in this table
let stegnames = pack_array ("camouflage","crypture", "hidensend", "openpuff","picsel","slienteye","steg","xiao");
let ProcessQuery = view(){
DeviceProcessEvents 
| where ProcessCommandLine has_any (stegnames)
};
let FileQuery = view(){
DeviceFileEvents
| where FileName has_any (stegnames)
};
union ProcessQuery, FileQuery
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine

Analytic Rule Definition

id: 1cdf6fe8-6232-48ba-bbd8-b9881c30e0e9
name: insider-threat-detection-queries (2)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceFileEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
  // --------------------------------------------------------------------------------------------------------------------------- //
  //
  //Use of Steganography Application
  //
  // Extend stegnames array with know steganography tools
  // We could also use the known hash for steganography tools and use those hashes in this table
  let stegnames = pack_array ("camouflage","crypture", "hidensend", "openpuff","picsel","slienteye","steg","xiao");
  let ProcessQuery = view(){
  DeviceProcessEvents 
  | where ProcessCommandLine has_any (stegnames)
  };
  let FileQuery = view(){
  DeviceFileEvents
  | where FileName has_any (stegnames)
  };
  union ProcessQuery, FileQuery
  | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Persistence
Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (2).yaml)

False Positive Guidance

Scenario: System Maintenance Task Using MTP
Description: A system administrator is performing routine maintenance using the Microsoft Threat Protection (MTP) tool to investigate a potential security incident.
Filter/Exclusion: Add a filter for process.parent_process_name == "Microsoft Threat Protection" or process.command_line contains "mtp.exe" to exclude legitimate administrative tasks.
Scenario: Scheduled Job for Data Backup
Description: A scheduled job is running a data backup process that temporarily accesses sensitive files, triggering MTP alerts due to unusual file access patterns.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam Backup & Replication or Commvault using process.name == "veeam.exe" or process.name == "cvbackup.exe".
Scenario: User-Initiated File Transfer
Description: An employee is transferring files between internal servers using a legitimate file transfer tool like Robocopy or rsync, which may be flagged by MTP for unusual access patterns.
Filter/Exclusion: Exclude processes related to file transfer utilities using process.name == "robocopy.exe" or process.name == "rsync.exe".
Scenario: Admin Task for Log Analysis
Description: A security analyst is reviewing logs using a tool like Splunk or ELK Stack, which may trigger MTP alerts due to high-frequency access to log files.
Filter/Exclusion: Exclude processes associated with log analysis tools using process.name == "splunkd.exe" or process.name == "elasticsearch.exe".
Scenario: Patching Activity Using Windows Update
Description: A Windows Update process is running to install patches, which may trigger MTP alerts due to elevated privileges or unusual access to system files.
Filter/Exclusion: Exclude