List Cloud Discovery Performed By User At Risk

This KQL query identifies discovery events performed by users marked as at risk within an Azure environment. It targets actions like downloading group members or fetching tenant details, which are common reconnaissance steps an attacker might take after gaining access to a tenant. Monitoring these events can help detect potentially compromised accounts performing suspicious activities.

Risk

Users flagged as at risk who also conduct discovery actions are likely compromised or involved in malicious activity. Such behavior should prompt immediate investigation of the user account and, if confirmed malicious, disablement to prevent further damage or data exposure.

Query

Microsoft Sentinel

// Define DiscoveryEvents, list can be appended with other events or your choosing
let DiscoveryEvents = dynamic(["Export", "Download group members", "Get tenant details", "Download Users", "Download Devices"]);
let RiskyUsers = AADRiskyUsers
     | where TimeGenerated > ago(90d)
     | summarize arg_max(TimeGenerated, *) by Id
     // Only user active risky users. If you want to look for all users that have been risky, remove the line below.
     | where RiskState in~ ('atRisk', 'confirmedCompromised')
     | distinct UserDisplayName;
AuditLogs
// Filter only on the RiskyUsers defined
| where Identity in~ (RiskyUsers)
// Filter on DiscoveryEvents
| where OperationName has_any (DiscoveryEvents)
| project TimeGenerated, Identity, OperationName, Category, 
ResultDescription, Result

This query cross-references risky users from Azure AD risk data with audit logs capturing discovery operations. It filters events from the last 90 days, focusing on suspicious discovery activities like downloading tenant information or group members.

References

• Tutorial for risk-based SSPR and MFA with Azure AD
• Remediate risky users with Azure AD Identity Protection