Users executing large log analytics (LA) queries may indicate data exfiltration or reconnaissance efforts, as adversaries often gather extensive data to plan further attacks. SOC teams should proactively hunt for such anomalies in Azure Sentinel to identify potential data theft or lateral movement attempts early.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let delta = totimespan((endtime-starttime)*7);
let lookback = starttime - delta;
let threshold = 0;
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| make-series rows = sum(ResponseRowCount) on TimeGenerated in range(lookback, endtime, 1h)
| extend (anomalies, score, baseline) = series_decompose_anomalies(rows,3, -1, 'linefit')
| mv-expand anomalies to typeof(int), score to typeof(double), TimeGenerated to typeof(datetime)
| where anomalies > threshold
| sort by score desc
| join kind=rightsemi (
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| summarize make_set(QueryText) by AADEmail, RequestTarget, TimeGenerated = bin(TimeGenerated, 1h))
on TimeGenerated
| project TimeGenerated, AADEmail, RequestTarget, set_QueryText
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: 97543188-a4e8-4439-980d-17b231149617
name: Query data volume anomolies
description: |
'This hunting query looks for anomalously large LA queries by users.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let delta = totimespan((endtime-starttime)*7);
let lookback = starttime - delta;
let threshold = 0;
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| make-series rows = sum(ResponseRowCount) on TimeGenerated in range(lookback, endtime, 1h)
| extend (anomalies, score, baseline) = series_decompose_anomalies(rows,3, -1, 'linefit')
| mv-expand anomalies to typeof(int), score to typeof(double), TimeGenerated to typeof(datetime)
| where anomalies > threshold
| sort by score desc
| join kind=rightsemi (
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| summarize make_set(QueryText) by AADEmail, RequestTarget, TimeGenerated = bin(TimeGenerated, 1h))
on TimeGenerated
| project TimeGenerated, AADEmail, RequestTarget, set_QueryText
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Microsoft
categories:
domains: [ "Security - Threat Protection" ]Scenario: Scheduled backup job querying large log files
Description: A backup process uses a tool like logrotate or rsync to archive large volumes of log data, which may trigger the rule due to high query volume.
Filter/Exclusion: Exclude queries originating from the backup service account or those executed during scheduled backup windows (e.g., user = backup_svc or timestamp BETWEEN '02:00' AND '04:00').
Scenario: System health monitoring with Prometheus or Grafana
Description: Automated monitoring tools like Prometheus or Grafana may query large datasets to generate dashboards or alerts, causing high query volume.
Filter/Exclusion: Exclude queries from the monitoring service account (e.g., user = prometheus or source = grafana).
Scenario: Log aggregation with Fluentd or Logstash
Description: Log aggregation tools like Fluentd or Logstash may perform bulk data ingestion or indexing operations that temporarily increase query volume.
Filter/Exclusion: Exclude queries from the log aggregation service (e.g., source = fluentd or source = logstash).
Scenario: User-generated report generation with Power BI or Tableau
Description: Users may run large report queries in tools like Power BI or Tableau, which can spike query volume temporarily.
Filter/Exclusion: Exclude queries from user accounts known for report generation (e.g., user = report_user or tool = tableau).
Scenario: Database maintenance tasks with pg_restore or mysqldump
Description: Database maintenance scripts using tools like pg_restore or mysqldump may execute large data extraction queries.
Filter/Exclusion: Exclude queries associated with maintenance tasks (