Users with elevated privileges may attempt to access sensitive data or systems outside their normal job functions, indicating potential insider threat activity that could compromise organizational security. Proactively hunting for such behavior in Azure Sentinel enables early detection of insider risks before they lead to data exfiltration or system compromise.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Access after Termination
//
// Look for any activity by a terminated employee account creating a
// DeviceNetworkEvents after they were released
let TermAccount = 'FORMER_EMPLOYEE_NAME'; // Could also use SID
let ReleaseTime = datetime("01/16/2022 00:00:00");
//
DeviceNetworkEvents
| where InitiatingProcessAccountName =~ TermAccount
| where Timestamp > ReleaseTime
| project Timestamp , DeviceName, InitiatingProcessAccountName
| sort by Timestamp desc
id: eb5bf874-a707-4997-8d66-433cbf8b2f26
name: insider-threat-detection-queries (6)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Access after Termination
//
// Look for any activity by a terminated employee account creating a
// DeviceNetworkEvents after they were released
let TermAccount = 'FORMER_EMPLOYEE_NAME'; // Could also use SID
let ReleaseTime = datetime("01/16/2022 00:00:00");
//
DeviceNetworkEvents
| where InitiatingProcessAccountName =~ TermAccount
| where Timestamp > ReleaseTime
| project Timestamp , DeviceName, InitiatingProcessAccountName
| sort by Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to automate routine system maintenance tasks (e.g., log rotation or disk cleanup).
Filter/Exclusion: Check for the presence of known admin tools or scripts in the command line (e.g., powershell.exe -Command with Get-ChildItem or Remove-Item in known maintenance directories).
Scenario: A database administrator is running a scheduled SQL job to archive old data.
Filter/Exclusion: Filter by SQL Server process ID or check for known job names in SQL Agent jobs, or use a whitelist of database maintenance scripts.
Scenario: An IT support technician is using the Windows Task Scheduler to run a legitimate script for user account cleanup.
Filter/Exclusion: Filter by process name (schtasks.exe) or check for known task names in the Task Scheduler, or verify the script path against a known whitelist of support tools.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins) to deploy code to a staging environment.
Filter/Exclusion: Filter by process name (java -jar jenkins.war) or check for known CI/CD tool identifiers, or verify the deployment path against a known deployment directory.
Scenario: A network administrator is using Wireshark to analyze network traffic for troubleshooting purposes.
Filter/Exclusion: Filter by process name (wireshark.exe) or check for known network analysis tools, or verify the capture file location against a known analysis directory.