KQL Sniper For Compromised Account Sentinel UEBA
Query
// KQL Sniper for Compromised Account (Sentinel UEBA)
// https://www.linkedin.com/posts/activity-7199442661735374850-GqAK/
// The KQL script provided demonstrates a high level of precision in detecting a breached account by employing Sentinel UEBA analytics, given that every criterion within the conditions is satisfied. 🎯
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where ThreatIntel contains "IP Address used for validating compromised Entra ID credentials"
| where SourceDevice == "" and ActivityType != "FailedLogOn"
| where InvestigationPriority > 0
| project TimeGenerated, InvestigationPriority, UserPrincipalName, SourceIPAddress, SourceIPLocation, UsersInsights, DevicesInsights, ActivityInsights
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// The query looks for IP addresses used for validating compromised Entra ID credentials, which aligns with the use of valid accounts by adversaries.
// T1071 - Application Layer Protocol:
// The use of IP addresses for validation may involve application layer protocols.
// T1087 - Account Discovery:
// The query involves identifying user principal names, which is related to account discovery.
// T1057 - Process Discovery:
// Although not directly mentioned, the investigation of devices and activities can relate to process discovery.
// T1589 - Gather Victim Identity Information:
// The query gathers information about user identities and their associated activities.Explanation
This KQL query is designed to detect compromised accounts using Sentinel's User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:
- Time Frame: It looks at data from the last 90 days.
- Threat Detection: It searches for entries in the
BehaviorAnalyticstable where theDevicesInsightsfield indicates a threat related to "ThreatIntelIndicatorType". - Specific Threat: It focuses on threats where the description mentions an "IP Address used for validating compromised Entra ID credentials".
- Filter Conditions: It excludes entries where the
SourceDeviceis empty and theActivityTypeis not "FailedLogOn". - Priority: It only considers incidents with a positive
InvestigationPriority. - Output: The query projects (selects) specific fields for further analysis:
TimeGenerated,InvestigationPriority,UserPrincipalName,SourceIPAddress,SourceIPLocation,UsersInsights,DevicesInsights, andActivityInsights.
Additionally, the query is mapped to several MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:
- T1078 - Valid Accounts: The query identifies IP addresses used for validating compromised credentials, which is related to the use of valid accounts by attackers.
- T1071 - Application Layer Protocol: The validation process may involve application layer protocols.
- T1087 - Account Discovery: It involves identifying user principal names, which is part of discovering accounts.
- T1057 - Process Discovery: Although not directly mentioned, analyzing device and activity insights can relate to discovering processes.
- T1589 - Gather Victim Identity Information: The query collects information about user identities and their activities.
In summary, this query is a precise tool for identifying potentially compromised accounts by analyzing specific threat indicators and user activities, and it aligns with known cyber threat techniques.
Details

Steven Lim
Released: August 25, 2024
Tables
BehaviorAnalytics
Keywords
BehaviorAnalyticsDevicesInsightsThreatIntelIndicatorDescriptionSourceDeviceActivityTypeInvestigationPriorityUserPrincipalNameSourceIPAddressSourceIPLocationUsersInsightsActivityInsights
Operators
BehaviorAnalyticswhereagocontainsextendtostringproject