Users with elevated privileges may exfiltrate sensitive data through Azure Storage Blob access patterns, indicating potential insider threat activity. Proactively hunting for such behavior enables early identification of compromised accounts or malicious insiders before significant data loss occurs.
KQL Query
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Browse to Job Search website
//
// This query finds network communication to specific job search related URL
let partialRemoteUrlToDetect = pack_array (
"careerbuilder.com",
"career",
"glassdoor.com",
"indeed.com",
"internship",
"job",
"linkdin.com",
"monster.com",
"recruit",
"resume",
"simplyhired.com");
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl has_any (partialRemoteUrlToDetect)
id: b2ac5ab0-52b0-4be5-9f3f-9d19b80bcc9e
name: insider-threat-detection-queries (9)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
// --------------------------------------------------------------------------------------------------------------------------- //
//
//Browse to Job Search website
//
// This query finds network communication to specific job search related URL
let partialRemoteUrlToDetect = pack_array (
"careerbuilder.com",
"career",
"glassdoor.com",
"indeed.com",
"internship",
"job",
"linkdin.com",
"monster.com",
"recruit",
"resume",
"simplyhired.com");
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl has_any (partialRemoteUrlToDetect)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job (e.g., Windows Task Scheduler or cron job) is performing routine maintenance tasks such as log rotation, disk cleanup, or system updates. These tasks may involve file access or modification that could be flagged as suspicious.
Filter/Exclusion: Exclude processes associated with known maintenance tools or scheduled tasks (e.g., logrotate, cleanmgr.exe, systemd-tmpfiles-clean, or task scheduler jobs with known names).
Scenario: Admin User Performing Configuration Changes
Description: An admin user is making legitimate configuration changes to network devices (e.g., using Cisco ISE, Juniper Junos, or Fortinet FortiGate) or modifying firewall rules via tools like iptables or Windows Firewall. These actions may trigger alerts due to unusual access patterns.
Filter/Exclusion: Exclude activity from admin users with elevated privileges or from known configuration management tools (e.g., Ansible, Chef, or Puppet).
Scenario: Data Backup Process
Description: A backup process (e.g., Veeam, Commvault, or rsync) is copying large volumes of data from one system to another. This can generate high disk I/O and file access events that may be flagged as potential insider threats.
Filter/Exclusion: Exclude processes associated with backup tools or scheduled backup jobs (e.g., veeambackup.exe, rsync, or backupexec.exe).
Scenario: User Accessing Logs for Troubleshooting
Description: A user is accessing system or application logs (e.g., using ELK Stack, Splunk, or Windows Event Viewer) to troubleshoot an issue. This can result in frequent file access or query patterns that may be flagged