Query Details

Cloud Discovery Performed by User At Risk

Cloud Discovery By User At Risk

Query

// Define DiscoveryEvents, list can be appended with other events or your choosing
let DiscoveryEvents = dynamic(["Export", "Download group members", "Get tenant details", "Download Users", "Download Devices"]);
let RiskyUsers = AADRiskyUsers
     | where TimeGenerated > ago(90d)
     | summarize arg_max(TimeGenerated, *) by Id
     // Only user active risky users. If you want to look for all users that have been risky, remove the line below.
     | where RiskState in~ ('atRisk', 'confirmedCompromised')
     | distinct UserDisplayName;
AuditLogs
// Filter only on the RiskyUsers defined
| where Identity in~ (RiskyUsers)
// Filter on DiscoveryEvents
| where OperationName has_any (DiscoveryEvents)
| project TimeGenerated, Identity, OperationName, Category, ResultDescription, Result

About this query

Explanation

This query is designed to identify potentially malicious activity by users who are considered "at risk" within an Azure environment. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to detect actions related to cloud discovery that are performed by users flagged as risky. These actions could indicate that an attacker is trying to gather information after gaining access to your Azure tenant.

  2. Key Actions Monitored: The query looks for specific discovery events such as exporting data, downloading group members, retrieving tenant details, and downloading user or device information.

  3. Risky Users Identification: It first identifies users who have been marked as "at risk" or "confirmed compromised" in the last 90 days. This is done by checking the Azure Active Directory Risky Users data.

  4. Filtering Audit Logs: The query then filters audit logs to find entries where these risky users have performed any of the specified discovery actions.

  5. Output: It provides a list of these events, including details like the time they occurred, the user involved, the type of operation performed, and the result of the operation.

  6. Actionable Insight: If such activities are detected, it suggests investigating the user account further and potentially disabling the account if malicious activity is confirmed.

Overall, this query helps in proactively identifying and responding to potential security threats by monitoring risky user behavior related to cloud resource discovery.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

AADRiskyUsersAuditLogs

Keywords

CloudDiscoveryUserRiskDevicesTenantAzureActiveDirectoryAuditLogs

Operators

letdynamicagosummarizearg_maxbywherein~distinctAuditLogshas_anyproject

MITRE Techniques

Actions

GitHub