Hunt for the events that have been performed while connected to a Anonymous Proxy
Anonymous Proxy Events
Query
CloudAppEvents
| where IsAnonymousProxy == 1
| extend UserId = tostring(parse_json(RawEventData).UserId)
| summarize
TotalActivities = count(),
ActionsPerformed = make_set(ActionType),
OSUsed = make_set(OSPlatform),
IPsUsed = make_set(IPAddress)
by AccountId, UserId
| project AccountId, UserId, TotalActivities, ActionsPerformed, OSUsed, IPsUsed
| sort by TotalActivitiesAbout this query
Explanation
This query is designed to identify events where activities were performed while connected to an anonymous proxy, which can be a sign of malicious activity. Here's a simple breakdown of what the query does:
-
Data Source: It looks at
CloudAppEvents, which are records of activities in cloud applications. -
Filter: It filters these events to only include those where the connection was made through an anonymous proxy (
IsAnonymousProxy == 1). -
Extract User Information: It extracts the
UserIdfrom the event data for further analysis. -
Summarize Activities: For each unique account and user, it summarizes:
- The total number of activities (
TotalActivities). - The types of actions performed (
ActionsPerformed). - The operating systems used (
OSUsed). - The IP addresses used (
IPsUsed).
- The total number of activities (
-
Output: It projects (or selects) the relevant fields:
AccountId,UserId,TotalActivities,ActionsPerformed,OSUsed, andIPsUsed. -
Sort: Finally, it sorts the results by the total number of activities, likely to prioritize accounts with the most activity for further investigation.
The query is useful for detecting potential security risks where an attacker might be using a proxy to hide their true location while accessing cloud services. However, it also notes a common false positive scenario: iPhones using iCloud Private Relay, which can also mask IP addresses.
