KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 07 Lighthouse Delegation Changes

Query

// Hunt     : Hunt - Azure Lighthouse Managed Services Delegation Changes (90d)
// Tactics  : Persistence
// MITRE    : T1098
// Purpose  : Shows all Azure Lighthouse (ManagedServices) delegation events. Attackers who gain Owner rights may create Lighthouse delegations to grant a foreign tenant persistent cross-subscription access that survives password resets.
//==========================================================================================

AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue has "MICROSOFT.MANAGEDSERVICES"
| where ActivityStatusValue =~ "Success"
| extend OperationType = case(
    OperationNameValue has "DELETE", "Delegation Removed",
    OperationNameValue has "WRITE", "Delegation Added or Modified",
    "Other")
| project TimeGenerated, OperationType, Caller, Operation = OperationNameValue, ResourceId, CallerIpAddress, SubscriptionId
| order by TimeGenerated desc

Explanation

This query is designed to track changes in Azure Lighthouse delegations over the past 90 days. Azure Lighthouse allows service providers to manage resources across different Azure tenants. The query focuses on identifying any successful delegation events, which could indicate potential security risks if an attacker gains access.

Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls data from the AzureActivity log, which records various activities within Azure.

  2. Time Frame: It filters the data to include only events from the last 90 days.

  3. Operation Filter: It specifically looks for operations related to "MICROSOFT.MANAGEDSERVICES", which pertains to Azure Lighthouse delegations.

  4. Success Filter: It only considers events where the activity status is marked as "Success".

  5. Operation Type: It categorizes the operations into:

    • "Delegation Removed" if the operation involves a "DELETE".
    • "Delegation Added or Modified" if the operation involves a "WRITE".
    • "Other" for any other types of operations.

  6. Data Projection: It selects and displays specific details about each event, including:

    • The time the event was generated.
    • The type of operation.
    • The caller (who initiated the operation).
    • The operation name.
    • The resource ID involved.
    • The caller's IP address.
    • The subscription ID.

  7. Sorting: Finally, it orders the results by the time the event was generated, showing the most recent events first.

The purpose of this query is to help identify any unauthorized or suspicious delegation changes that could allow persistent access across subscriptions, even after password resets, which is a tactic used by attackers for persistence.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityOperationNameValueActivityStatusValueOperationTypeCallerResourceIdCallerIpAddressSubscriptionId

Operators

AzureActivity|where>ago()has=~extendcase()projectorder bydesc

Actions