Users with administrative privileges accessing sensitive data outside of normal business hours may indicate potential insider threats, as such behavior could signal data exfiltration or unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider risks before they lead to data breaches or compliance violations.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Local Administrator
//
DeviceLogonEvents
| where IsLocalAdmin ==0
| where InitiatingProcessAccountName != "system"
id: d69ccf9a-4592-41db-a78f-f24108fea06e
name: insider-threat-detection-queries
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Local Administrator
//
DeviceLogonEvents
| where IsLocalAdmin ==0
| where InitiatingProcessAccountName != "system"
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: System Administrator Performing Routine Maintenance
Description: A system administrator is running a scheduled job to clean up temporary files or update system configurations.
Filter/Exclusion: Use process.parent_process to exclude processes initiated by known administrative tools (e.g., task scheduler, powershell.exe with admin privileges) or filter by process.name to exclude legitimate maintenance scripts (e.g., cleanup.bat, update_script.ps1).
Scenario: Database Backup Job Execution
Description: A database backup job is running during off-peak hours, which may trigger alerts due to high disk I/O or unusual query patterns.
Filter/Exclusion: Use process.name to exclude known backup tools (e.g., sqlbackup.exe, mysqldump.exe) or filter by process.parent_process to exclude jobs initiated by the backup scheduler (e.g., sqlagent.exe).
Scenario: User-Initiated File Transfer via Email Client
Description: An employee is transferring large files via email using a legitimate email client (e.g., Microsoft Outlook or Thunderbird), which may be flagged for unusual data movement.
Filter/Exclusion: Use process.name to exclude email clients (e.g., outlook.exe, thunderbird.exe) or filter by process.parent_process to exclude known email-related processes (e.g., msoutlk.exe).
Scenario: Scheduled Log Analysis by SIEM Tool
Description: A SIEM tool (e.g., Splunk, ELK Stack) is performing a scheduled log analysis task, which may generate high volume of log parsing activity.
Filter/Exclusion: Use process.name to exclude SIEM-related processes (e.g., splunkd.exe, logstash.exe) or filter by process.parent_process