Users with administrative privileges accessing sensitive data repositories at unusual times may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Personal Email Account
//
//This query searches for connections to specific webmail URLs
let webmailURLs = pack_array ("mail.google.com", "mail.yahoo.com", "mail.protonmail.com"); // Change or append additional webmail URLs
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl has_any (webmailURLs)
id: 48b0ff4e-385c-4362-a184-612834a0b8c6
name: insider-threat-detection-queries (5)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Personal Email Account
//
//This query searches for connections to specific webmail URLs
let webmailURLs = pack_array ("mail.google.com", "mail.yahoo.com", "mail.protonmail.com"); // Change or append additional webmail URLs
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl has_any (webmailURLs)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Administrator Performing Routine Maintenance
Description: A system administrator is running a scheduled maintenance job that involves modifying user permissions or auditing logs, which could trigger the rule due to changes in user access.
Filter/Exclusion: Use process.parent_process_name: to exclude processes initiated by known administrative tools like task scheduler or schtasks.exe. Example: process.parent_process_name:"task scheduler".
Scenario: Database Backup Job Executing
Description: A database backup job is running, which may involve copying large volumes of data or accessing sensitive files, triggering the rule due to data movement patterns.
Filter/Exclusion: Use process.name: to exclude known backup tools like sqlbackup.exe or vssadmin.exe. Example: process.name:"sqlbackup.exe".
Scenario: User Running a Legitimate Script for Compliance Audit
Description: A user is executing a script (e.g., using PowerShell or Python) to perform a compliance audit, which may involve querying user activity logs or accessing sensitive data.
Filter/Exclusion: Use process.name: to exclude scripts or tools associated with audit tasks, such as powershell.exe with a known audit script signature. Example: process.name:"powershell.exe" AND process.args:"audit-script.ps1".
Scenario: IT Team Deploying a Patch via SCCM
Description: A patch deployment via System Center Configuration Manager (SCCM) may involve modifying user configurations or deploying software, which could be flagged as insider activity.
Filter/Exclusion: Use process.name: to exclude SCCM-related processes like ccmexec.exe or smsts.exe. Example: process.name:"ccmexec.exe".
Scenario: User Accessing Logs for Troubleshooting
Description: A user is