A new client running previously unseen queries may indicate an adversary establishing a foothold or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and limit lateral movement.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
LAQueryLogs
| where TimeGenerated between (ago(lookback)..starttime)
| where ResponseCode == 200
| join kind= rightanti(
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
)
on RequestClientApp
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: 1dd98313-f43f-4d8b-9870-5a1dfb2cf93f
name: New client running queries
description: |
'This hunting query looks for clients running queries that have not previously been seen running queries.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1213
- T1020
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
LAQueryLogs
| where TimeGenerated between (ago(lookback)..starttime)
| where ResponseCode == 200
| join kind= rightanti(
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
)
on RequestClientApp
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Microsoft
categories:
domains: [ "Security - Threat Protection" ]Scenario: A system administrator is performing a one-time diagnostic query using PowerShell to troubleshoot a service issue.
Filter/Exclusion: Exclude processes initiated by the administrator’s user account (e.g., user=Administrator or user=ITSupport) or filter by process name (process_name=PowerShell.exe with a known command line).
Scenario: A scheduled job runs a query using SQL Server Agent to generate daily reports.
Filter/Exclusion: Exclude processes associated with the SQL Server Agent service (process_name=sqlagent.exe) or filter by the job name or schedule ID.
Scenario: A backup tool like Veeam or Commvault executes a query to check the status of backup jobs.
Filter/Exclusion: Exclude processes related to backup tools (e.g., process_name=VeeamBackup.exe or process_name=Commvault.exe) or filter by the tool’s known command-line arguments.
Scenario: A log collection tool such as Splunk Universal Forwarder runs a query to gather system logs.
Filter/Exclusion: Exclude processes associated with the Splunk forwarder (process_name=splunkforwarder) or filter by the tool’s unique command-line parameters.
Scenario: A database maintenance task using MySQL or PostgreSQL runs a query to optimize tables or check indexes.
Filter/Exclusion: Exclude processes initiated by the database maintenance user (e.g., user=db_maintenance) or filter by the database name and process name (e.g., process_name=mysqld.exe and database=mysql).