Query Details

Azure Hound Activity Detected

Query

MicrosoftGraphActivityLogs
| where UserAgent has "azurehound"
| summarize QueriesSent=count() by UserId, IpAddress, ServicePrincipalId, AppId, TokenIssuedAt, Location, SignInActivityId, SourceSystem, AadTenantId, UserAgent
| extend ConfidenceScore = 1
| extend RemediationSteps = "Identify the identity and device used for this activity and confirm this is not a security test. If you can rule out a security test initiate the  incident response process to decide if the attacker can be evicted or should be observed"

Explanation

This query is looking for Microsoft Graph queries sent to the tenant that contain the User Agent string "AzureHound". This indicates that someone is scanning the Azure AD tenant for additional information, which could be the initial phase of an attack. The query summarizes the number of queries sent by various attributes such as UserId, IpAddress, ServicePrincipalId, etc. It also assigns a confidence score of 1 and provides remediation steps to identify the identity and device used for this activity. If it is not a security test, the incident response process should be initiated to decide whether to evict the attacker or observe them. The suppression duration is set to 5 hours and suppression is currently disabled. The alert is configured to group events into a single alert and create an incident. The incident grouping is enabled and configured to group by the Account entity.

Details

Fabian Bader profile picture

Fabian Bader

Released: October 14, 2023

Tables

MicrosoftGraphActivityLogs

Keywords

DevicesIntuneUserAzure ADMicrosoft Graph

Operators

wherehassummarizebyextend

Severity

Medium

Actions

GitHub