Query Details
Azure Hound Activity Detected
Query
id: 54b355e7-1736-425e-8627-4972161b135a
name: AzureHound activity detected
version: 1.0.0
kind: NRT
description: Microsoft Graph queries sent to the tenant contained the User Agent string of AzureHound. This is a high fedility indicator that someone scans your Azure AD tenant for additional information and might be part of the inital phase of an attack.
severity: Medium
query: |-
MicrosoftGraphActivityLogs
| where UserAgent has "azurehound"
| summarize QueriesSent=count() by UserId, IpAddress, ServicePrincipalId, AppId, TokenIssuedAt, Location, SignInActivityId, SourceSystem, AadTenantId, UserAgent
| extend ConfidenceScore = 1
| extend RemediationSteps = "Identify the identity and device used for this activity and confirm this is not a security test. If you can rule out a security test initiate the incident response process to decide if the attacker can be evicted or should be observed"
suppressionDuration: 5h
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: ConfidenceScore
value: ConfidenceScore
entityMappings:
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpAddress
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is looking for Microsoft Graph queries sent to the tenant that contain the User Agent string "AzureHound". This indicates that someone is scanning the Azure AD tenant for additional information, which could be the initial phase of an attack. The query summarizes the number of queries sent by various attributes such as UserId, IpAddress, ServicePrincipalId, etc. It also assigns a confidence score of 1 and provides remediation steps to identify the identity and device used for this activity. If it is not a security test, the incident response process should be initiated to decide whether to evict the attacker or observe them. The suppression duration is set to 5 hours and suppression is currently disabled. The alert is configured to group events into a single alert and create an incident. The incident grouping is enabled and configured to group by the Account entity.
Details
Fabian Bader
Released: October 14, 2023
Tables
Keywords
Operators