New users running queries

Hunt Hypothesis

New users executing previously unseen queries may indicate the use of unknown tools or reconnaissance activities by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts early.

KQL Query

let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
LAQueryLogs
| where TimeGenerated between(startofday(ago(lookback))..starttime)
| summarize by AADEmail
| join kind = rightanti (LAQueryLogs
| where TimeGenerated between(starttime..endtime))
on AADEmail
| project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail

Analytic Rule Definition

id: 8c4fb385-98b0-4ef5-b3da-65db0fb22d89
name: New users running queries
description: |
  'This hunting query looks for users who have run queries that have not previously been seen running queries.'
requiredDataConnectors:
  - connectorId: AzureMonitor(Query Audit)
    dataTypes:
      - LAQueryLogs
tactics:
  - Collection
relevantTechniques:
  - T1530
  - T1213
query: |

  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let lookback = totimespan((endtime-starttime)*7);
  LAQueryLogs
  | where TimeGenerated between(startofday(ago(lookback))..starttime)
  | summarize by AADEmail
  | join kind = rightanti (LAQueryLogs
  | where TimeGenerated between(starttime..endtime))
  on AADEmail
  | project TimeGenerated, AADEmail, QueryText, RequestClientApp, RequestTarget
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
    source:
        kind: Community
    author:
        name: Pete Bryan
    support:
        tier: Microsoft
    categories:
        domains: [ "Security - Threat Protection" ]

MITRE ATT&CK Context

• Tactic: Collection
• Technique: T1530 — T1530
• Technique: T1213 — T1213

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/LAQueryLogs/NewUserRunningQueries.yaml)

False Positive Guidance

• Scenario: A system administrator creates a new user account and runs a one-time query to check system logs using Log Analytics or SIEM tools like Splunk or ELK Stack.
  Filter/Exclusion: Exclude users with administrative privileges or those who have executed known administrative queries.

• Scenario: A scheduled job runs a query via Power BI or Power Query to generate a report, which is a common practice in business intelligence environments.
  Filter/Exclusion: Exclude queries executed by scheduled jobs or those associated with known reporting tools.

• Scenario: A developer uses SQL Server Management Studio (SSMS) to run a new query for database schema validation during a deployment process.
  Filter/Exclusion: Exclude queries executed from development environments or during known deployment windows.

• Scenario: An IT support technician uses Windows Event Viewer or PowerShell to run a new query to troubleshoot a user issue.
  Filter/Exclusion: Exclude queries executed from support tools or by users with IT support roles.

• Scenario: A security analyst runs a custom query using Kibana or Elasticsearch to investigate a potential security incident.
  Filter/Exclusion: Exclude queries executed by security analysts or those associated with incident response tools.