Users searching for VIP user activity may indicate reconnaissance or privilege escalation attempts by adversaries seeking to identify high-value targets. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential insider threats or advanced persistent threats targeting critical accounts.
KQL Query
// Replace these with the username or emails of your VIP users you wish to monitor for.
let vips = dynamic(['[email protected]','[email protected]']);
// Add users who are allowed to conduct these searches - this could be specific SOC team members
let allowed_users = dynamic([]);
LAQueryLogs
| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
| where AADEmail !in (allowed_users)
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, "@")[0]), AccountUPNSuffix = tostring(split(AADEmail, "@")[1])
id: f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
name: Users searching for VIP user activity
description: |
This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.
Use this detection to alert for users specifically searching for activity of sensitive users.
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1213
- T1020
query: |
// Replace these with the username or emails of your VIP users you wish to monitor for.
let vips = dynamic(['[email protected]','[email protected]']);
// Add users who are allowed to conduct these searches - this could be specific SOC team members
let allowed_users = dynamic([]);
LAQueryLogs
| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
| where AADEmail !in (allowed_users)
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, "@")[0]), AccountUPNSuffix = tostring(split(AADEmail, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: RequestTarget
version: 1.1.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: System administrators are performing routine audits by querying VIP user activity to ensure compliance with internal policies.
Filter/Exclusion: Exclude queries executed by known admin accounts (e.g., admin_user, audit_user) or filter by query names containing keywords like audit, compliance, or review.
Scenario: A scheduled job runs daily to generate reports on VIP user activity for executive dashboards.
Filter/Exclusion: Exclude queries associated with scheduled jobs (e.g., job_name = "VIP_Report_Daily") or filter by the source of the query (e.g., source = "scheduled_job").
Scenario: A security analyst is investigating a potential breach and is searching for VIP user activity as part of an active investigation.
Filter/Exclusion: Exclude queries executed within a specific time window (e.g., timestamp > "2024-04-01") or filter by the analyst’s username (e.g., user = "security_analyst").
Scenario: A DevOps team is using Log Analytics to monitor VIP user access patterns for application performance monitoring (APM) purposes.
Filter/Exclusion: Exclude queries that include the term performance, APM, or monitoring, or filter by the team’s service account (e.g., user = "devops_team").
Scenario: A user is running a search in Log Analytics to troubleshoot an issue related to VIP user authentication failures.
Filter/Exclusion: Exclude queries that include the term authentication, failed, or error, or filter by the user’s role (e.g., user_role = "support").