Query Details
Detecting Nation State Actors Near Realtime
Query
//Detecting Nation State Actors @ Near Realtime //https://www.linkedin.com/feed/update/urn:li:activity:7172463683351113728/ //In view of recent updates from Microsoft on Midnight Blizzard, for those on Microsoft Entra ID P2 running the below Sentinel KQL analytic rule at NRT (Near real-time) will give you the best detection if your tenant is impacted by any nation state actors based on Microsoft Security Intelligence (MSTIC) telemetry data. AADUserRiskEvents | where RiskEventType == "nationStateIP"
Explanation
This query is designed to detect potential nation-state actors targeting your organization in near real-time. It works by checking for specific risk events in Microsoft Entra ID (formerly Azure AD) that are flagged as originating from nation-state IP addresses. If such events are found, it indicates that your tenant might be impacted by nation-state actors, based on telemetry data from Microsoft Security Intelligence.
Details
Steven Lim
Released: August 2, 2024
Tables
AADUserRiskEvents
Keywords
AADUserRiskEventsRiskEventTypeNationStateIPMicrosoftEntraIDP2SentinelKQLNRTTenantNationStateActorsMicrosoftSecurityIntelligenceMSTICTelemetryData
Operators
==|