Threat Hunting Primer - Section 3: Azure Primer - Azure elements & KQL Deep Dive
Azure Cloud Threat Hunting
Microsoft Azure provides extensive logging, endpoint, and identity telemetry integrated with their Defender and Sentinel platforms. With rich support for Kusto Query Language (KQL), threat hunters can extract detailed insights from cloud activity and behavioral anomalies.
Key Security and Observability Tools
| Service | Description | Threat Hunting Use Cases |
|---|---|---|
| Microsoft Defender XDR | Cross-platform security insights (identity, endpoint, cloud) | Advanced threat correlation across devices, services, and identities |
| Azure Monitor / Log Analytics | Unified platform for logs and metrics | Query and visualize log data using KQL for detections |
| Azure AD Sign-In Logs | Tracks sign-in activity across users and services | Brute-force attempts, impossible travel, MFA bypass |
| Azure Activity Logs | Tracks configuration and management actions in Azure | Detect unauthorized resource manipulation |
| Azure Key Vault | Securely stores secrets, certificates, and keys | Alert on excessive access or failed retrievals |
Deep Dive: KQL for Threat Hunting
Kusto Query Language (KQL) is used in Azure Monitor, Log Analytics, and Microsoft Sentinel for querying large datasets.
Example 1: Detect Multiple Failed Logins
SigninLogs
| where ResultType == 50074
| summarize FailedAttempts = count() by IPAddress,
| bin(TimeGenerated, 1h)
| where FailedAttempts > 10
Example 2: Impossible Travel Detection
SigninLogs
| extend timestamp = TimeGenerated,
location = tostring(Location),
user = UserPrincipalName
| summarize makeset(location),
min(timestamp),
max(timestamp) by user
| where array_length(makeset_location) > 1
MITRE ATT&CK Mapping (Azure)
| Tactic | Technique | Azure Source | Detection Strategy |
|---|---|---|---|
| Credential Access | T1110 - Brute Force | Azure AD Sign-In Logs | Multiple failed sign-in attempts from the same IP |
| Lateral Movement | T1021.002 - SMB/Remote Desktop | Defender for Endpoint | Multiple device logins from single account within a short time |
| Persistence | T1098 - Account Manipulation | Activity Logs | Admin rights assignment to new accounts |
| Exfiltration | T1048 - Exfiltration Over Alternative Protocol | Log Analytics + Network Watcher | Traffic to unknown external hosts via non-standard ports |
Elastic AI Integration (Azure)
Azure logs can be exported using the Azure Monitor Diagnostic Settings into Event Hub or Logstash pipelines. Elastic Agent or Beats can ingest this directly into your SIEM.
Example rule for detecting privileged escalation in Azure AD:
{
"query": {
"bool": {
"must": [
{ "match": { "azure.auditlogs.operationName": "Add member to role" } },
{ "match": { "azure.auditlogs.properties.targetRole": "Global Administrator" } }
]
}
}
}
Suggested Azure Hunting Queries
| Behavior | Service | KQL or Detection |
|---|---|---|
| Excessive Key Vault reads | Azure Monitor | Monitor VaultAccessLogs for high frequency |
| Disabled MFA detection | Sign-In Logs | ResultType 50140 or sign-ins without MFA used |
| Audit log tampering | Activity Logs | DisableAuditLogs or Remove-DiagnosticSetting events |