Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Under specific circumstances, executing KQL queries can exfiltrate information like access tokens, regarding external data functions like adx(). This query tries to list executed KQL queries that used the adx() function and where an access token might have been exposed to. Ref: https://docs.microsoft.com/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy Ref: https://securecloud.blog/2022/04/27/azure-monitor-malicious-kql-query/
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 58b17f82-f594-4d36-9b78-4e4b03992708 |
| Tactics | Exfiltration |
| Techniques | T1567 |
| Required Connectors | AzureMonitor(Query Audit) |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
LAQueryLogs |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊