Sentinel All In One UPN Threat Hunt
Query
// Sentinel All-In-One UPN ThreatHunt
// https://www.linkedin.com/pulse/microsoft-sentinel-kql-solo-leveling-steven-lim-8hsqc/
// This KQL query searches across these Sentinel log tables for the UPN variable that is defined at the start:
// Anomalies, CloudAppEvents, CommonSecurityLog, DeviceEvents, DeviceFileEvents, DeviceLogonEvents, AzureActivity, EmailEvents, OfficeActivity, SecurityEvent, BehaviorAnalytics
let upn = "[email protected]";
search in (Anomalies,CloudAppEvents,CommonSecurityLog,DeviceEvents,DeviceFileEvents,DeviceLogonEvents,AzureActivity,
EmailEvents,OfficeActivity,SecurityEvent,BehaviorAnalytics)
TimeGenerated between (ago(1d) .. now())
and (
// ** Events initiated by this UPN **
UserPrincipalName == upn // Anomalies, BehaviorAnalytics
or tostring(RawEventData.UserId) == upn // CloudAppEvents
or SourceUserName == upn // CommonSecurityLog
or AccountName == upn // DeviceEvents
or InitiatingProcessAccountUpn == upn // DeviceFileEvents, DeviceLogonEvents
or Caller == upn // AzureActivity
or RecipientEmailAddress == upn // EmailEvents
or SenderMailFromAddress == upn // EmailEvents
or UserId == upn // OfficeActivity
or Entities contains upn // SecurityEvent
)
// MITRE ATT&CK Mapping
// Based on the fields and data sources used in the KQL query, here are some potential MITRE ATT&CK techniques that could be detected:
// T1078 - Valid Accounts: The query checks for events where the UPN is used, which can help identify the use of valid accounts across different services and logs.
// T1059 - Command and Scripting Interpreter: If the DeviceEvents or DeviceFileEvents tables include script execution logs, this technique could be relevant.
// T1071 - Application Layer Protocol: The EmailEvents table checks for email activities, which can be mapped to this technique if emails are used for command and control.
// T1106 - Execution: The DeviceLogonEvents and DeviceFileEvents tables can help detect execution of processes or files.
// T1110 - Brute Force: The SecurityEvent table can be used to detect brute force attempts if it includes authentication logs.
// T1040 - Network Sniffing: If CommonSecurityLog includes network traffic logs, this technique could be relevant.
// T1087 - Account Discovery: The AzureActivity table can help detect account discovery activities in Azure environments.Explanation
This KQL (Kusto Query Language) query is designed to search for activities associated with a specific user, identified by their User Principal Name (UPN), across various log tables in Microsoft Sentinel. Here's a simplified breakdown of what the query does:
-
Define the User: The query starts by specifying a particular user with the UPN "[email protected]".
-
Search Across Logs: It searches for any events related to this user across multiple log tables, including:
- Anomalies
- CloudAppEvents
- CommonSecurityLog
- DeviceEvents
- DeviceFileEvents
- DeviceLogonEvents
- AzureActivity
- EmailEvents
- OfficeActivity
- SecurityEvent
- BehaviorAnalytics
-
Time Frame: The search is limited to events that occurred within the last day.
-
User Activity: The query looks for various types of user activities, such as:
- Logins
- File access
- Email sending/receiving
- Azure activities
- Security events
-
MITRE ATT&CK Techniques: The query can help identify potential security threats by mapping detected activities to known MITRE ATT&CK techniques, such as:
- Use of valid accounts
- Script execution
- Email-based command and control
- Process execution
- Brute force attacks
- Network sniffing
- Account discovery
In essence, this query is a comprehensive threat-hunting tool that helps security analysts monitor and investigate user activities across different platforms and services to detect potential security incidents.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators