Users with elevated privileges may exfiltrate sensitive data through Azure Storage Blob access, indicating potential insider threat activity that could compromise organizational data integrity. Proactively hunting for such behavior in Azure Sentinel enables early identification of risky insider actions before significant damage occurs.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Usage of Source Control Management (SCM) Tool
//
//Update SCMTools with any additional SCM software specific to an organization.
let SCMTools = pack_array ("git.exe", "svn.exe", "hg.exe");
DeviceProcessEvents
| where FileName has_any (SCMTools)
or ProcessCommandLine has_any (SCMTools)
id: 2eb45b94-4848-4e02-9679-ceb10b2445f2
name: insider-threat-detection-queries (8)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Usage of Source Control Management (SCM) Tool
//
//Update SCMTools with any additional SCM software specific to an organization.
let SCMTools = pack_array ("git.exe", "svn.exe", "hg.exe");
DeviceProcessEvents
| where FileName has_any (SCMTools)
or ProcessCommandLine has_any (SCMTools)
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System administrator performing routine maintenance using PowerShell scripts to clean up temporary files.
Filter/Exclusion: process.parent_process_name:"Windows PowerShell" AND process.command_line:*Cleanup*
Tool/Task: Windows Task Scheduler or PowerShell scripts used for system maintenance.
Scenario: Database administrator executing a scheduled backup job using SQL Server Agent.
Filter/Exclusion: process.name:"sqlservr.exe" AND process.parent_process_name:"SQL Server Agent" AND process.command_line:*BACKUP*
Tool/Task: SQL Server Backup Job scheduled via SQL Server Agent.
Scenario: IT support technician using Splunk to monitor system logs for troubleshooting purposes.
Filter/Exclusion: process.name:"splunkd.exe" AND process.parent_process_name:"splunk.exe" AND process.command_line:*search*
Tool/Task: Splunk search commands used for log analysis and incident response.
Scenario: DevOps engineer deploying a CI/CD pipeline using Jenkins, which triggers multiple process executions.
Filter/Exclusion: process.parent_process_name:"jenkins.exe" AND process.command_line:*Jenkinsfile*
Tool/Task: Jenkins pipeline execution for automated deployments.
Scenario: Security analyst using Wireshark to capture and analyze network traffic for incident response.
Filter/Exclusion: process.name:"wireshark.exe" AND process.parent_process_name:"explorer.exe" AND process.command_line:*capture*
Tool/Task: Network traffic analysis using Wireshark for forensic investigation.