Threat Intelligence Data From Sentinel UEBA
Query
// Threat Intelligence Data from Sentinel UEBA
// https://www.linkedin.com/posts/activity-7199353581236338689-AJdl/
// The following KQL query extracts threat intelligence data for Entra users with a score of 5 or higher. This data helps you visualize the types of threats your cloud environment might be facing.
//Here's what you can potentially expect to uncover:
//- Scanner IP addresses
//- Malicious activity identified by honeypots
//- Microsoft Deep Research threat intelligence
//- Command and Control (C2) server communication attempts
//- Port scans
//- Phishing attempts
//- Distributed Denial-of-Service (DDoS) attacks
//- Hacking tools
//- Compromised Entra credential activity
//- Brute-force attacks
//- Remote Code Execution (RCE) vulnerabilities
//- Email spam campaigns
//- Spoofing attempts
//By analyzing this threat intelligence, you can gain valuable insights and take steps to protect your cloud environment. 🫡
//KQL Code:
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where InvestigationPriority > 5
| distinct ThreatIntel
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques might be relevant:
// Tactic: Reconnaissance
// Technique: Gather Victim Host Information (T1592)
// The query looks for threat intelligence indicators, which could include information about victim hosts.
// Tactic: Initial Access
// Technique: Drive-by Compromise (T1189)
// Threat intelligence indicators might include information about initial access methods like drive-by compromises.
// Tactic: Execution
// Technique: Command and Scripting Interpreter (T1059)
// The presence of threat intelligence indicators could suggest the use of scripting for execution.
// Tactic: Persistence
// Technique: Account Manipulation (T1098)
// High investigation priority records might indicate attempts to manipulate accounts for persistence.
// Tactic: Defense Evasion
// Technique: Indicator Removal on Host (T1070)
//Filtering for high-priority investigations could reveal attempts to evade detection by removing indicators.
// Tactic: Collection
// Technique: Data from Local System (T1005)
// Threat intelligence indicators might include data collection activities from local systems.
// Tactic: Exfiltration
// Technique: Exfiltration Over C2 Channel (T1041)
// High-priority investigations could indicate exfiltration activities over command and control channels.Explanation
This KQL query is designed to extract and analyze threat intelligence data from Sentinel UEBA (User and Entity Behavior Analytics) for Entra users who have a high threat score of 5 or more. The goal is to identify and understand various types of threats that might be targeting your cloud environment. Here's a simple breakdown of what the query does and what it can help you discover:
- Time Frame: It looks at data from the last 90 days.
- Focus: It specifically targets entries that contain threat intelligence indicators.
- Priority: It filters for records with an investigation priority greater than 5, indicating significant threats.
- Output: It lists distinct threat intelligence descriptions.
By running this query, you can uncover various potential threats such as:
- IP addresses used for scanning
- Malicious activities detected by honeypots
- Attempts to communicate with Command and Control (C2) servers
- Port scanning activities
- Phishing and DDoS attacks
- Use of hacking tools
- Compromised credentials
- Brute-force attacks
- Remote Code Execution vulnerabilities
- Email spam and spoofing attempts
The insights gained from this analysis can help you take proactive measures to secure your cloud environment.
Additionally, the query is mapped to relevant MITRE ATT&CK techniques, which provide a framework for understanding the tactics and techniques used by adversaries. These include reconnaissance, initial access, execution, persistence, defense evasion, collection, and exfiltration activities. This mapping helps in understanding the broader context of the threats and how they align with known attack patterns.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators