Users attempting to execute multiple failed queries in a short timeframe may be probing for specific data or testing credentials, indicating potential reconnaissance or credential stuffing activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of adversarial activity and prevent further compromise.
KQL Query
let timeframe = 1h;
let threshold = 10;
LAQueryLogs
| where ResponseCode != 200
| summarize count() by AADEmail, bin(TimeGenerated, timeframe)
| where count_ > threshold
| join kind=rightsemi (
LAQueryLogs
| summarize make_set(QueryText) by AADEmail, bin(TimeGenerated, timeframe))
on AADEmail, TimeGenerated
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: a2fca6ac-1155-4eec-934b-65aa62cdbb09
name: User running multiple queries that fail
description: |
'This hunting query looks for users who have multiple failed queries in a short space of time.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let timeframe = 1h;
let threshold = 10;
LAQueryLogs
| where ResponseCode != 200
| summarize count() by AADEmail, bin(TimeGenerated, timeframe)
| where count_ > threshold
| join kind=rightsemi (
LAQueryLogs
| summarize make_set(QueryText) by AADEmail, bin(TimeGenerated, timeframe))
on AADEmail, TimeGenerated
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Microsoft
categories:
domains: [ "Security - Threat Protection" ]Scenario: A system administrator is running multiple failed SSH connection attempts to troubleshoot a network issue.
Filter/Exclusion: Exclude users with administrative privileges (e.g., sudo users or users in the admin group) or filter by specific tools like ssh with a known IP range used for troubleshooting.
Scenario: A scheduled job (e.g., cron job or Airflow DAG) is failing repeatedly due to a misconfigured script or invalid SQL query.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., cron, airflow, or specific job IDs) or filter by process names like airflow or cron.
Scenario: A developer is testing a new query in a database tool like pgAdmin or MySQL Workbench, resulting in multiple failed queries during testing.
Filter/Exclusion: Exclude users associated with development tools (e.g., pgAdmin, MySQL Workbench, or DBeaver) or filter by specific application names or user roles (e.g., developer).
Scenario: A backup process (e.g., rsync, Veeam, or Bacula) is failing due to temporary file system issues or network instability.
Filter/Exclusion: Exclude processes related to backup tools (e.g., rsync, veeam, bacula) or filter by process names or user accounts used for backup operations.
Scenario: A user is performing a bulk data import/export using a tool like sqoop or data pipeline, which results in multiple failed queries during the process.
Filter/Exclusion: Exclude processes associated with data migration tools (e.g., sqoop, data-pipeline, or etl) or filter by specific command-line arguments or user roles (e.g., `data-engineer