Query Details
Threat Hunting Nation State Actors
Query
//Threat Hunting Nation State Actors //https://www.linkedin.com/feed/update/urn:li:activity:7173156446581219328/ //In view of recent security updates from Microsoft on the January breach by Midnight Blizzard, for those on Microsoft Entra ID P2 you can also use Signin log's riskEventsTypes_v2 to threat hunt for possible nation state actors involvement on your Entra tenant by using below KQL query. SigninLogs | where TimeGenerated > ago(90d) | extend V2Risk = tostring(RiskEventTypes_V2) | where V2Risk contains "estsRiskStateP"
Explanation
This query is designed to help identify potential nation-state actors involved in security breaches within a Microsoft Entra ID P2 environment. Here's a simple breakdown:
- Data Source: The query looks at
SigninLogs, which records sign-in activities. - Time Frame: It filters the logs to include only those generated in the last 90 days.
- Risk Events: It extends the logs to include a new field
V2Risk, which converts theRiskEventTypes_V2field to a string. - Filter for Risk: It then filters the logs to include only those where the
V2Riskfield contains the string "estsRiskStateP".
In summary, this query helps you find recent sign-in attempts that have specific risk indicators, which could suggest involvement by sophisticated threat actors, such as nation-state hackers.
Details
Steven Lim
Released: August 2, 2024
Tables
SigninLogs
Keywords
SigninLogsEntraTenantRiskEventTypesNationStateActors
Operators
SigninLogs|where>ago( )extend=tostringcontains