Detecting Nation State Threat Actors With Custom KQL Queries
Query
// Detecting Nation-State Threat Actors with Custom KQL Queries
// If you are using the default Sentinel setup, you will not receive notifications in the event of an attack by nation-state threat actors, as there are no built-in analytic rules to detect such threats. I am sharing a Sentinel detection KQL query that can identify nation-state attacks and provide detailed information about the threat actor using Behavior Analytics threat intelligence. By enabling this KQL query, you will be notified when a nation-state threat actor targets your environment and receive additional information about the specific threat actor (e.g., Storm-XXXX)
let NationStateIP =
SigninLogs
| where TimeGenerated > ago(1h)
| where RiskEventTypes_V2 has "estsNationStateIP"
| project IPAddress;
BehaviorAnalytics
| where SourceIPAddress has_any(NationStateIP)
| project TimeGenerated, UserPrincipalName, ActivityType,
SourceIPAddress, SourceIPLocation, DevicesInsights.ThreatIntelIndicatorDescription
// MITRE ATT&CK Mapping
// T1078 - Valid Accounts
// T1049 - System Network Connections DiscoveryExplanation
This query is designed to detect attacks by nation-state threat actors using Microsoft Sentinel. Here's a simplified summary:
-
Purpose: The query identifies potential nation-state attacks and provides detailed information about the threat actors involved.
-
Process:
- Step 1: It looks at the
SigninLogsfrom the past hour to find any sign-ins associated with nation-state IP addresses. - Step 2: It extracts the IP addresses from these sign-ins.
- Step 3: It then checks the
BehaviorAnalyticsdata to see if any of these IP addresses appear there. - Step 4: If a match is found, it retrieves and displays relevant details such as the time of the event, user involved, type of activity, source IP address, location of the source IP, and a description of the threat indicator.
- Step 1: It looks at the
-
Outcome: By enabling this query, you will receive notifications when a nation-state threat actor targets your environment, along with detailed information about the specific threat actor.
-
MITRE ATT&CK Mapping: The query also maps to specific MITRE ATT&CK techniques:
- T1078: Valid Accounts
- T1049: System Network Connections Discovery
This helps in understanding the tactics and techniques used by the threat actors.
Details

Steven Lim
Released: September 24, 2024
Tables
SigninLogsBehaviorAnalytics
Keywords
SentinelDetectionNation-StateThreatActorsBehaviorAnalyticsIntelligenceSigninLogsBehaviorAnalyticsTimeGeneratedUserPrincipalNameActivityTypeSourceIPAddressSourceIPLocationDevicesInsightsThreatIntelIndicatorDescription
Operators
let>ago|wherehasprojecthas_any