What Changed
This PR introduces the Hybrid Attack - Cloud and Identity Solution (v3.0.0, Private Preview), adding 55+ new Hunting Queries and a companion Workbook to Microsoft Sentinel Content Hub. All content is net-new with no prior version in the repository.
The Solution targets multi-stage, cross-environment attack chains where initial compromise occurs on-premises or at the network edge and the attacker subsequently pivots into Azure, Entra ID, or Kubernetes control planes – sequences that individual, table-scoped detections typically fail to surface.
Hunting Query Coverage
The queries are organized by MITRE tactic and span seven major categories:
Initial Access (10 queries)
Multi-source correlation across VPN authentication logs, network appliance telemetry, and ASIM-normalized authentication tables:
- CVE exploitation on network appliances – correlates known-vulnerable appliance fingerprints against post-auth config changes
- Credential stuffing / spray against VPN – joins authentication failure bursts to successful logins with novel IP or geo context
- IMDS token theft chain – detects Azure VM Instance Metadata Service token requests followed by first-seen cloud control-plane operations from the same IP
- Service principal burst after credential change – correlates Entra app credential modifications with novel SP sign-ins
Primary tables: _Im_Authentication (ASIM), CloudAuditEvents, AzureDiagnostics
Lateral Movement (5 queries)
Designed for hybrid environments where on-premises compromise is used as a springboard to Azure/Entra:
- Kerberoasting to cloud sign-in – correlates Kerberos ticket requests using weak encryption (etype 17/18/23) from SecurityEvent against subsequent Entra ID sign-ins by the same identity
- RDP to hybrid device then Entra access – imNetworkSession/imAuthentication join detecting lateral movement to a hybrid-joined device followed by cloud resource access
- WMI remote execution then cloud sign-in – process event correlation (_Im_ProcessEvent) detecting WMI-based remote execution followed by novel cloud sign-in
- AAD Connect host remote admin then Entra privilege op – targets the AAD Connect host as a pivot point to directory-level privilege operations
Primary tables: SecurityEvent, _Im_Authentication, _Im_ProcessEvent, CloudAuditEvents, AuditLogs
Credential Access (6 queries)
Focuses on secrets harvesting, Kubernetes token abuse, and Key Vault-pivoted credential theft:
- K8s secret enumeration then pod exec – AzureDiagnostics kube-audit joins on secrets/list or secrets/get followed by pods/exec or pods/attach within a 30-minute window
- K8s token audit then novel cloud control plane – CloudAuditEvents correlation of Kubernetes token service account operations followed by first-seen Azure RBAC/Key Vault/Storage operations from the same IP/user-agent tuple
- Key Vault harvest then novel SPN sign-in from non-Microsoft IP – baselines the (SPN, IP) tuple against 14-day history; alerts on first-seen combinations post-secret retrieval
Primary tables: AzureDiagnostics, CloudAuditEvents, AzureActivity, CloudStorageAggregatedEvents, AADServicePrincipalSignInLogs
Defense Evasion (5 queries)
Targets NSG/firewall rule manipulation used to pre-stage exfiltration or C2 channels:
- Network security control tampering – detects NSG, firewall policy, and Azure Firewall rule modifications
- Multi-service exposure followed by key/data access – correlates public exposure writes against subsequent Key Vault and Storage access
- Novel SPN sign-in then RBAC write – surfaces service principal sign-ins with no historical IP precedent followed by role assignment writes
Primary tables: CloudAuditEvents, AzureActivity, _Im_Authentication, ASimAuditEventLogs
Persistence (12 queries)
Covers federated trust abuse, MFA manipulation, dormant SP reactivation, Kubernetes scheduling abuse, and kernel-level persistence:
- Federated identity provider added to tenant – AuditLogs detection of federation trust additions
- MFA method added to risky account – correlates RiskyUsers risk level against AuditLogs MFA registration events
- Secret added to dormant service principal – baselines SP sign-in activity; flags credential addition to SPs with no historical authentication
- K8s DaemonSet/CronJob by non-automation identity – CloudAuditEvents kube-audit hunting for persistent scheduling writes by user identities rather than CI/CD service accounts
- Rare kernel load then novel non-interactive sign-in – _Im_ProcessEvent kernel image load with unknown signer correlated against Entra non-interactive sign-ins
Primary tables: AuditLogs, RiskyUsers, AADServicePrincipalSignInLogs, CloudAuditEvents, _Im_ProcessEvent
Discovery (7 queries)
IAM enumeration, Key Vault discovery, and OAuth consent reconnaissance:
- Cross-subscription resource group enumeration sweep – burst detection of Microsoft.Resources list operations across multiple subscriptions/RGs
- IAM enumeration then Key Vault operations – correlates role assignment query audit events against Key Vault access within a short window
- OAuth consent then first-seen OAuth app ID burst – detects the consent-grant foothold commonly used in BEC and cloud persistence chains
Primary tables: CloudAuditEvents, AuditLogs, AzureActivity, AADServicePrincipalSignInLogs
Exfiltration (8 queries)
Targets email forwarding rules, mailbox enumeration, Storage bulk downloads, and OAuth-scoped data access:
- Storage bulk download via account key or SAS – CloudStorageAggregatedEvents detection of high-volume downloads using storage account keys or SAS tokens (T1530)
- Key Vault secret retrieval then storage key auth pivot – end-to-end chain: KV secret GET, storage key authentication, bulk read
- Suspicious OAuth consent with sensitive permissions – surfaces app registrations granted Mail.Read, Files.Read.All, or equivalent Graph API permissions following first-seen consent
Primary tables: CloudStorageAggregatedEvents, AzureActivity, AuditLogs, CloudAppEvents, OfficeActivity
MITRE Mapping
| Tactic | Techniques |
|---|---|
| Initial Access | T1190, T1133, T1078, T1078.004, T1110.001, T1110.003, T1110.004 |
| Lateral Movement | T1021.001, T1047, T1550, T1550.001, T1558.003 |
| Credential Access | T1552, T1552.007, T1528, T1526, T1609 |
| Defense Evasion | T1562.004, T1562.007, T1071 |
| Persistence | T1098, T1098.001, T1098.003, T1136.001, T1020 |
| Discovery | T1087.004, T1069.003, T1526, T1213 |
| Exfiltration | T1530, T1537, T1567, T1567.002, T1041 |
ASIM Usage
Queries consistently use ASIM normalised functions (_Im_Authentication, _Im_ProcessEvent, _Im_AuditEvent) rather than raw tables, making the content schema-agnostic across authentication and process data sources. CI config additions (CustomFunctions/ and CustomTables/ JSON schemas) add KQL validation stubs for CloudAuditEvents, CloudProcessEvents, CloudStorageAggregatedEvents, ASimAuditEventLogs, and ASimAuthenticationEventLogs.
Workbook
A companion Workbook is included for visual investigation of hunting query results. No Analytic Rules are included in this release – all content requires active hunting or scheduled workbook review.
Affected Files
.script/tests/KqlvalidationsTests/CustomFunctions/_Im_AuditEvent.json
.script/tests/KqlvalidationsTests/CustomFunctions/_Im_Authentication.json
.script/tests/KqlvalidationsTests/CustomFunctions/_Im_ProcessEvent.json
.script/tests/KqlvalidationsTests/CustomTables/AADServicePrincipalSignInLogs.json
.script/tests/KqlvalidationsTests/CustomTables/ASimAuditEventLogs.json
.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json
.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json
.script/tests/KqlvalidationsTests/CustomTables/CloudAuditEvents.json
.script/tests/KqlvalidationsTests/CustomTables/CloudProcessEvents.json
.script/tests/KqlvalidationsTests/CustomTables/CloudStorageAggregatedEvents.json
.script/tests/KqlvalidationsTests/CustomTables/IdentityInfo.json
Solutions/Hybrid Attack - Cloud & Identity/.vscode/settings.json
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/k8s-secret-enumeration-followed-by-exec.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/k8s-token-audit-then-novel-cloud-control-plane.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/keyvault-secret-read-then-partial-storage-exfil.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/kv-harvest-spn-signin-then-out-of-scope-resource-access.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/kv-secret-harvest-followed-by-novel-spn-signin-non1p-ip.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/CredentialAccess/pod-cloud-cli-then-keyvault-storage-access.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/DefenseEvasion/NetworkSecurityControlTampering.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/DefenseEvasion/multi-service-network-exposure-followed-by-key-and-data-access.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/DefenseEvasion/novel-spn-signin-followed-by-rbac-write.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/DefenseEvasion/pod-token-tooling-then-cloud-rbac-write.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/DefenseEvasion/suspicious-signin-followed-by-cloud-network-exposure-writes.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/cross-subscription-and-rg-enumeration-sweep.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/iam-enumeration-followed-by-keyvault-operations.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/iam-recon-followed-by-role-assignment-write.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/identity-app-enum-followed-by-noninteractive-novel-tuple.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/keyvault-discovery-followed-by-datastore-enumeration.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/novel-signin-followed-by-iam-recon-burst.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Discovery/oauth-consent-followed-by-firstseen-oauthappid-burst.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/EmailForwardingRuleToExternal.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/MultiMailboxAccessBySingleIP.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/StorageAccessFirstSeenExternalIP.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/StorageBulkDownloadAccountKeySAS.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/SuspiciousOAuthConsentSensitivePermissions.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/keyvault-secret-retrieval-followed-by-storage-key-auth-pivot.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/novel-identity-followed-by-keyvault-secret-burst.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Exfiltration/partial-failures-then-read-concentration.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/CVEExploitationOnNetworkAppliance3P.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/CredentialStuffingSprayOnVPN3P.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/PostAuthConfigChangeOnAppliance3P.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/RiskyVPNSignIn.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/TIMatchedIPOnNetworkAppliance.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/VPNCredentialStuffingAndSpray.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/azure-vm-imds-token-theft-chain.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/entra-app-credential-change-sp-signin-burst-chain.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/k8s-first-seen-control-plane-writer.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/rare-sp-signin-followed-by-rbac-write.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/InitialAccess/web-service-child-process-egress.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/LateralMovement/aad-connect-host-remote-admin-followed-by-entra-privilege-operation.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/LateralMovement/entra-hybrid-user-signin-followed-by-onprem-lateral-movement.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/LateralMovement/kerberoast-followed-by-cloud-signin.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/LateralMovement/rdp-to-hybrid-device-followed-by-entra-access.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/LateralMovement/wmi-remote-exec-on-hybrid-device-followed-by-cloud-signin.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/FederatedIdentityProviderAddedToTenant.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/MFAMethodAddedRiskyAccount.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/SecretAddedDormantServicePrincipal.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/app-cred-change-sp-burst.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/appliance-mgt-session-followed-by-rbac-write.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/cloud-run-command-followed-by-kernel-persistence-indicators.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/k8s-daemonset-cronjob-by-nonautomation-identity.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/rare-kernel-load-signer-drift-followed-by-novel-ni-signin.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/rare-sp-auth-tuple.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/service-principal-conditional-access-anomaly.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/sp-credential-change-followed-by-novel-sp-signin.yaml
Solutions/Hybrid Attack - Cloud & Identity/Hunting Queries/Persistence/suspicious-signin-followed-by-authmethod-or-role-change.yaml
Solutions/Hybrid Attack - Cloud & Identity/Package/testParameters.json
Solutions/Hybrid Attack - Cloud & Identity/Workbooks/HybridAttack-Cloud&Identity.json
Solutions/Hybrid Attack - Cloud & Identity/Workbooks/Images/Preview/HybridAttack-Cloud&IdentityBlack.png
Solutions/Hybrid Attack - Cloud & Identity/Workbooks/Images/Preview/HybridAttack-Cloud&IdentityWhite.png
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_HybridAttackCloud&Identity.json, createUiDefinition.json, mainTemplate.json)