Users with administrative privileges may exfiltrate sensitive data through Azure Storage Blob access, indicating potential insider threat activity that could compromise organizational data integrity. Proactively hunting for such behavior in Azure Sentinel enables early detection of insider risks and supports the development of robust insider threat models.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Screenshots
//
let PRINT_THRESHOLD = 3; // adjust accordingly
//-----
DeviceProcessEvents
| where FileName in ("SnippingTool.exe", "ScreenSketch.exe") //and Timestamp > ago(20d)
| summarize count_AccountName = count() by AccountName
| where count_AccountName > PRINT_THRESHOLD
| sort by count_AccountName desc
id: 72e7f2c9-aba5-427e-b2ec-f68c191010ec
name: insider-threat-detection-queries (3)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Screenshots
//
let PRINT_THRESHOLD = 3; // adjust accordingly
//-----
DeviceProcessEvents
| where FileName in ("SnippingTool.exe", "ScreenSketch.exe") //and Timestamp > ago(20d)
| summarize count_AccountName = count() by AccountName
| where count_AccountName > PRINT_THRESHOLD
| sort by count_AccountName desc
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing routine maintenance using PowerShell to clean up old log files.
Filter/Exclusion: Exclude PowerShell scripts executed by users with Administrative Privileges or from known maintenance directories (e.g., C:\Windows\System32\).
Scenario: A database administrator is running a scheduled SQL job to archive historical data.
Filter/Exclusion: Exclude queries executed by SQL Server Agent Jobs or users with DBA roles.
Scenario: An IT support technician is using LogonSessions to investigate a user login event via Event Viewer.
Filter/Exclusion: Exclude events related to Logon/Logoff activities or events generated by Local System or Administrators group.
Scenario: A developer is using PowerShell to automate configuration changes across multiple servers via Puppet or Chef.
Filter/Exclusion: Exclude PowerShell scripts executed by Configuration Management Tools or users with DevOps roles.
Scenario: A user is running a scheduled backup job using Veeam or Commvault to back up critical data.
Filter/Exclusion: Exclude activities associated with backup tools or users with Backup Operator privileges.