Query Details
Cloud Discovery Performed By User At Risk
Query
// Operationalising this hunting query: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Azure%20Active%20Directory/CloudDiscoveryByUserAtRisk.md
let DiscoveryEvents = dynamic(["Export", "Download group members", "Get tenant details", "Download Users", "Download Devices", "Triggered PIM alert"]);
let RiskyUsers = AADRiskyUsers
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by Id
// Only looking at currently risky users - not all users that have been risky at some stage
| where RiskState in~ ('atRisk', 'confirmedCompromised')
| distinct UserDisplayName;
AuditLogs
| where TimeGenerated > ago(1h)
// Filter only on the RiskyUsers from the above search
| where Identity in~ (RiskyUsers)
// Filter on DiscoveryEvents list
| where OperationName has_any (DiscoveryEvents)
// join IdentityInfo
| join kind=leftouter ( IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
) on $left.Identity == $right.AccountDisplayName
| project TimeGenerated, Identity, OperationName, Category, ResultDescription, Result, AccountUPN, AccountObjectId, AssignedRolesExplanation
This query detects discovery events that have been performed by a user at risk, as classified by Azure AD. It matches against currently risky users against a set of operations associated with Cloud Discovery in the AuditLogs table. A risky user with active an active risk score against their account performing these discovery operations should be considered suspicious and investigated.
Details
Regan Carey @rcegann (User Submission)
Released: October 25, 2023
Tables
AADRiskyUsersAuditLogsIdentityInfo
Keywords
Devices,Intune,User
Operators
letdynamicwhereagosummarizebyin~distincthas_anyjoinkind=leftouteron$left$rightproject