User Granted Access and created resources

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	b6baa3bb-a231-4e50-8ad1-4e28a958a0d3
Tactics	Persistence, PrivilegeEscalation, Impact
Techniques	T1098, T1078, T1496
Required Connectors	AzureActivity, AzureActivity
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs		✓	✗	?
AzureActivity	OperationName has "Create"	?	✗	?
Operation		?	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID
AzureActivity	Azure Activity

Solutions: Azure Activity, Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries