AzureHound Detection
Azure Hound
Query
let WhitelistedObjects = dynamic(["obj1", "obj2"]);
let UniqueRequestThreshold = 1000; // Depends on Entra ID tentant size. You can use the function 0.5 * TotalAzure Resources to get this number. KQL: arg("").Resources | count
let ResourceThreshold = 4;
let ReconResources = dynamic(["organization","groups","devices","applications","users","rolemanagement","serviceprincipals"]);
GraphAPIAuditEvents
| where RequestMethod == "GET"
| where ResponseStatusCode == 200
| extend ParsedUri = tostring(parse_url(RequestUri).Path)
| extend GraphAPIPath = tolower(replace_string(ParsedUri, "//", "/"))
| extend GraphAPIResource = tostring(split(GraphAPIPath, "/")[2])
| where GraphAPIResource in (ReconResources)
// Filter whitelist
| where not(AccountObjectId in (WhitelistedObjects))
| summarize UniqueRequests = dcount(ClientRequestId), Requests = make_set(RequestUri, 1000), Paths = make_set(GraphAPIPath), Resources = make_set(GraphAPIResource), UniqueResourceCount = dcount(GraphAPIResource) by AccountObjectId, bin(TimeGenerated, 1h)
| where UniqueRequests >= UniqueRequestThreshold and UniqueResourceCount >= ResourceThresholdAbout this query
Explanation
This query is designed to detect potential AzureHound activity, which is a tool used by adversaries to gather information about an Azure environment. Here's a simplified breakdown of what the query does:
-
Data Source: It uses the
GraphAPIAuditEventslog to analyze API requests made to Azure. -
Filtering Criteria:
- It looks for
GETrequests with a successful status code (200), as AzureHound uses these to collect data. - It focuses on specific resources that are commonly targeted for reconnaissance, such as organizations, groups, devices, applications, users, role management, and service principals.
- It looks for
-
Exclusions:
- Certain objects are whitelisted and excluded from the analysis to avoid false positives.
-
Analysis:
- It counts the number of unique requests and the variety of resources accessed within each hour.
- It checks if these counts exceed predefined thresholds, which are adjustable based on the size of the Azure environment.
-
Thresholds:
UniqueRequestThreshold: The minimum number of unique requests needed to trigger an alert. This can be adjusted based on the number of resources in the Azure environment.ResourceThreshold: The minimum number of different resources accessed to consider the activity suspicious.
-
Outcome:
- If the number of unique requests and accessed resources exceed the thresholds, the query returns these results for further analysis, indicating potential AzureHound activity.
The goal is to identify suspicious activity that might indicate an adversary is using AzureHound to map out and understand the Azure environment, which could be a precursor to more malicious actions.
Details

Bert-Jan Pals
Released: August 14, 2025
Tables
GraphAPIAuditEvents
Keywords
GraphAPIAuditEventsOrganizationGroupsDevicesApplicationsUsersRolemanagementServiceprincipalsAccountObjectIdClientRequestIdRequestUriGraphAPIPathGraphAPIResourceTimeGenerated
Operators
letdynamicargcountGraphAPIAuditEventswhereextendtostringparse_urlPathtolowerreplace_stringsplitinsummarizedcountmake_setbin