KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Nation State Threat Actors With Custom KQL Queries

Query

// Detecting Nation-State Threat Actors with Custom KQL Queries

// If you are using the default Sentinel setup, you will not receive notifications in the event of an attack by nation-state threat actors, as there are no built-in analytic rules to detect such threats. I am sharing a Sentinel detection KQL query that can identify nation-state attacks and provide detailed information about the threat actor using Behavior Analytics threat intelligence. By enabling this KQL query, you will be notified when a nation-state threat actor targets your environment and receive additional information about the specific threat actor (e.g., Storm-XXXX)

let NationStateIP = 
SigninLogs
| where TimeGenerated > ago(1h)
| where RiskEventTypes_V2 has "estsNationStateIP"
| project IPAddress;
BehaviorAnalytics
| where SourceIPAddress has_any(NationStateIP)
| project TimeGenerated, UserPrincipalName, ActivityType, 
SourceIPAddress, SourceIPLocation, DevicesInsights.ThreatIntelIndicatorDescription

// MITRE ATT&CK Mapping
// T1078 - Valid Accounts
// T1049 - System Network Connections Discovery

Explanation

This query is designed to detect attacks by nation-state threat actors using Microsoft Sentinel. Here's a simplified summary:

  1. Purpose: The query identifies potential nation-state attacks and provides detailed information about the threat actors involved.

  2. Process:

    • Step 1: It looks at the SigninLogs from the past hour to find any sign-ins associated with nation-state IP addresses.
    • Step 2: It extracts the IP addresses from these sign-ins.
    • Step 3: It then checks the BehaviorAnalytics data to see if any of these IP addresses appear there.
    • Step 4: If a match is found, it retrieves and displays relevant details such as the time of the event, user involved, type of activity, source IP address, location of the source IP, and a description of the threat indicator.

  3. Outcome: By enabling this query, you will receive notifications when a nation-state threat actor targets your environment, along with detailed information about the specific threat actor.

  4. MITRE ATT&CK Mapping: The query also maps to specific MITRE ATT&CK techniques:

    • T1078: Valid Accounts
    • T1049: System Network Connections Discovery

This helps in understanding the tactics and techniques used by the threat actors.

Details

Steven Lim profile picture

Steven Lim

Released: September 24, 2024

Tables

SigninLogsBehaviorAnalytics

Keywords

SentinelDetectionNation-StateThreatActorsBehaviorAnalyticsThreatIntelligenceSigninLogsBehaviorAnalyticsTimeGeneratedUserPrincipalNameActivityTypeSourceIPAddressSourceIPLocationDevicesInsightsThreatIntelIndicatorDescription

Operators

let>ago|wherehasprojecthas_any

Actions