Query Details
HUNT 15 Identity Ops Anomaly Deep Dive
Query
// Hunt : Hunt - Identity Operation Volume Anomaly Deep-Dive (30 Days)
// Tactics : Discovery, Impact, DefenseEvasion
// MITRE : T1078, T1580
// Purpose : For every identity active in the environment, compute daily write/delete/action operation counts and flag days where the volume significantly exceeds that identity's personal baseline. Use to investigate Rule-17 alerts, identify pre-attack reconnaissance bursts, or find compromised accounts that have been quietly abusing access over weeks.
//==========================================================================================
let ExcludedPatterns = dynamic(["terraform", "bicep", "pipeline", "github", "pulumi",
"devops", "arm-deployment"]);
let AzurePlatformIPs = dynamic(["168.63.", "169.254."]);
// Daily operation counts per identity
let DailyOps = AzureActivity
| where TimeGenerated > ago(30d)
| where ActivityStatusValue =~ "Success"
| where OperationNameValue has_any ("WRITE", "DELETE", "ACTION")
| where not(OperationNameValue has_any ("READ", "LIST", "GET", "LISTKEYS"))
| where isnotempty(Caller) and isnotempty(CallerIpAddress)
| where not(CallerIpAddress has_any (AzurePlatformIPs))
| where not(tolower(Caller) has_any (ExcludedPatterns))
| summarize DailyCount = count() by Caller, Day = bin(TimeGenerated, 1d);
// Per-identity baseline stats (using the first 23 days as baseline)
let Baseline = DailyOps
| where Day < ago(7d)
| summarize
AvgDailyOps = avg(DailyCount),
StdDevOps = stdev(DailyCount),
SampleDays = dcount(Day)
by Caller
| where SampleDays >= 3;
// Recent 7-day window
let RecentOps = DailyOps
| where Day >= ago(7d);
RecentOps
| join kind=inner Baseline on Caller
| extend DeviationScore = iff(
StdDevOps > 0,
(DailyCount - AvgDailyOps) / StdDevOps,
toreal(DailyCount))
| where DeviationScore >= 2.5 or (AvgDailyOps < 1 and DailyCount >= 10)
| project
Day,
Caller,
DailyCount,
AvgDailyOps = round(AvgDailyOps, 1),
StdDevOps = round(StdDevOps, 1),
DeviationScore = round(DeviationScore, 1)
| order by DeviationScore desc, DailyCount desc
Explanation
This query is designed to identify unusual activity patterns for user accounts in an Azure environment over the past 30 days. Here's a simplified breakdown of what it does:
-
Exclude Certain Patterns and IPs: It filters out operations related to specific development and deployment tools (like Terraform, GitHub, etc.) and Azure platform IPs to focus on more relevant activities.
-
Daily Operation Counts: It calculates the number of write, delete, and action operations performed by each user (identity) on a daily basis, excluding read and list operations.
-
Establish a Baseline: For each user, it establishes a baseline of their typical activity by analyzing the first 23 days of the 30-day period. It calculates the average number of operations per day and the standard deviation to understand normal behavior.
-
Identify Anomalies: It then examines the last 7 days of activity to identify days where a user's operation count significantly deviates from their established baseline. Specifically, it flags days where the deviation score is 2.5 or higher, or if the user typically has less than one operation per day but suddenly performs 10 or more operations.
-
Output: The query outputs a list of these anomalies, sorted by how much they deviate from the norm, which can help in investigating potential security incidents like reconnaissance activities or compromised accounts.
In essence, this query helps detect unusual spikes in user activity that could indicate security threats.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators