New users calling sensitive watchlist templates may indicate potential insider threats or unauthorized data access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate risks associated with unknown or suspicious user activity involving sensitive data.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
LAQueryLogs
| where TimeGenerated between(lookback..starttime)
| where QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')", '_GetWatchlist("ServiceAccounts")', "_GetWatchlist('ServiceAccounts')",'_GetWatchlist("HighValueAssets")', "_GetWatchlist('HighValueAssets')")
| summarize by AADEmail
| join kind = rightanti (LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| where QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')", '_GetWatchlist("ServiceAccounts")', "_GetWatchlist('ServiceAccounts')",'_GetWatchlist("HighValueAssets")', "_GetWatchlist('HighValueAssets')"))
on AADEmail
| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: f3dc87f3-64f9-405d-aa1b-fed98f859357
name: New users calling sensitive Watchlist
description: |
'This hunting query looks for users who have run queries calling a watchlist template relating to sensitive data that have not previously been seen calling these watchlists.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Collection
relevantTechniques:
- T1530
- T1213
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
LAQueryLogs
| where TimeGenerated between(lookback..starttime)
| where QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')", '_GetWatchlist("ServiceAccounts")', "_GetWatchlist('ServiceAccounts')",'_GetWatchlist("HighValueAssets")', "_GetWatchlist('HighValueAssets')")
| summarize by AADEmail
| join kind = rightanti (LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| where QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')", '_GetWatchlist("ServiceAccounts")', "_GetWatchlist('ServiceAccounts')",'_GetWatchlist("HighValueAssets")', "_GetWatchlist('HighValueAssets')"))
on AADEmail
| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: RequestTargetScenario: A system administrator is creating a new user account and runs a query to check if the username matches a known sensitive watchlist (e.g., for compliance purposes).
Filter/Exclusion: Exclude queries executed by users with the role admin or security_admin using the user field in the query.
Scenario: A scheduled job runs daily to check for new users against a watchlist as part of an onboarding process (e.g., using Splunk’s search command in a scheduled alert).
Filter/Exclusion: Exclude queries that are part of scheduled jobs by checking the scheduled field or using a custom field like job_type to identify automation tasks.
Scenario: A security analyst manually investigates a potential threat and runs a query against a sensitive watchlist to validate findings.
Filter/Exclusion: Exclude queries executed by users with the role security_analyst or threat_intel using the user field or a custom role field.
Scenario: A data governance tool runs a query to validate user access against a watchlist as part of a routine audit (e.g., using a third-party tool like LogRhythm or QRadar).
Filter/Exclusion: Exclude queries originating from specific tools or IP addresses associated with data governance systems, or use a custom field like tool_name to identify these activities.
Scenario: A development team runs a test query to simulate user access against a watchlist during a security testing exercise (e.g., using a tool like Elastic SIEM or a custom script).
Filter/Exclusion: Exclude queries that include a specific test identifier or timestamp range used during security testing, or use a custom field like test_mode to flag these events.