Query Details
HUNT 08 Privileged Ops Outside Hours
Query
// Hunt : Hunt - Privileged Azure Management Operations Outside Business Hours (UTC 07-19)
// Tactics : DefenseEvasion,Persistence
// MITRE : T1078.004
// Purpose : Identifies identities performing sensitive management operations outside UTC 07:00-19:00 weekdays. Attackers in different time zones or running automated scripts often operate outside normal business hours. Review against expected schedules.
//==========================================================================================
AzureActivity
| where TimeGenerated > ago(30d)
| where ActivityStatusValue =~ "Success"
| where OperationNameValue has_any (
"ROLEASSIGNMENTS/WRITE",
"ROLEASSIGNMENTS/DELETE",
"VIRTUALMACHINES/WRITE",
"DIAGNOSTICSETTINGS/DELETE",
"KEYVAULTS/WRITE",
"AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE",
"LOCKS/DELETE",
"POLICYASSIGNMENTS/DELETE")
| where isnotempty(Caller)
| extend HourUTC = hourofday(TimeGenerated)
| extend DayOfWeek = dayofweek(TimeGenerated)
| extend IsOffHours = HourUTC < 7 or HourUTC > 19 or DayOfWeek == 0d or DayOfWeek == 6d
| where IsOffHours == true
| summarize
OffHoursOpCount = count(),
Operations = make_set(OperationNameValue, 10),
HoursActive = make_set(HourUTC, 24),
SourceIPs = make_set(CallerIpAddress, 5)
by Caller, SubscriptionId
| order by OffHoursOpCount descExplanation
This query is designed to identify potentially suspicious activities in Azure by looking for privileged management operations that occur outside of typical business hours (07:00 to 19:00 UTC on weekdays). Here's a simple breakdown of what the query does:
-
Data Source: It examines Azure activity logs from the past 30 days.
-
Filter for Success: It only considers activities that were successfully executed.
-
Sensitive Operations: The query focuses on specific sensitive operations, such as role assignments, virtual machine modifications, and key vault changes.
-
Identify Off-Hours: It checks if these operations were performed outside of normal business hours, which includes weekends and times before 07:00 or after 19:00 UTC.
-
Summarize Findings: For each user (Caller) and subscription, it counts how many off-hours operations occurred, lists the types of operations performed, records the hours during which these activities took place, and notes the source IP addresses.
-
Order Results: The results are sorted by the number of off-hours operations, with the most frequent occurrences listed first.
The purpose of this query is to help security teams identify unusual or unauthorized access patterns that might indicate malicious activity, such as an attacker operating from a different time zone or using automated scripts.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators