Threat Hunting in the Cloud, Part 3: Microsoft Azure

Azure threat hunting is identity hunting, control-plane hunting, SaaS hunting, and workload hunting all at once. The Microsoft ecosystem blends Entra ID, Azure Resource Manager, Microsoft 365, Defender XDR, Defender for Cloud, and Microsoft Sentinel. That gives defenders a powerful picture, but it also means adversaries can move through identity, email, endpoints, cloud resources, and SaaS data without ever looking like a single-host compromise.

The hunt model should be simple: start with behavior, then choose telemetry. Microsoft Sentinel's hunting experience groups queries by MITRE ATT&CK tactics and techniques, lets analysts sort by results and result deltas, identify spikes, and run proactive hunting queries before, during, and after compromise. Microsoft Defender XDR advanced hunting provides query-based access to raw data across Defender for Endpoint, Office 365, Cloud Apps, Identity, and Sentinel, using KQL to inspect known and potential threats. Azure Activity Logs expose subscription-level create, update, delete, and action operations, including RBAC changes. Entra sign-in and audit logs provide the identity spine.

In Azure, the highest-value hunts usually answer four questions:

• Who authenticated, from where, using what strength of authentication?
• What did that identity change in Entra ID, Azure RBAC, applications, or subscriptions?
• What data did that identity access across Microsoft 365, storage, databases, and SaaS apps?
• Did the activity weaken recovery, monitoring, conditional access, or incident-response capability?

The Azure Hunt Surface

1. Entra ID and Hybrid Identity

Azure environments often inherit years of identity decisions: synchronized accounts, privileged roles, legacy authentication, app registrations, service principals, conditional access exceptions, break-glass users, and hybrid identity servers. Attackers know this. Recent Microsoft reporting on hybrid cloud ransomware activity has emphasized paths where adversaries compromise on-premises Active Directory, pivot through Entra Connect Sync, abuse privileged synced accounts, create backdoors, and use cloud-native tools for exfiltration and impact.

High-value hunts include:

• New Global Administrator, Privileged Role Administrator, Application Administrator, or Cloud Application Administrator assignments.
• Privileged role activation from unfamiliar devices, locations, or service principals.
• Conditional Access policy disabled, excluded, or modified for privileged users.
• MFA methods added, removed, or reset for privileged accounts.
• New federated credentials, application secrets, certificates, or service principal credentials.
• Entra Connect Sync account activity outside expected patterns.
• Legacy authentication or non-interactive sign-ins for sensitive accounts.
• Impossible travel, unfamiliar sign-in properties, or token use from suspicious infrastructure.

ATT&CK mapping: Valid Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication, Hybrid Identity, SAML Tokens, Application Access Token, and Steal Application Access Token.

Threat Foundry tie-in: use the Cloud ATT&CK matrix to turn Entra identity behaviors into saved hunts. Attack Path Builder can chain Hybrid Identity, Modify Authentication Process, Application Access Token, Cloud Service Discovery, and Data from Information Repositories into one investigation package.

2. Azure Resource Manager and Activity Logs

Azure Activity Logs provide subscription-level visibility into Resource Manager operations. Microsoft documents categories such as Administrative events for create, update, delete, and action operations, Security events from Defender for Cloud alerts, Policy events, Resource Health, Service Health, and Alerts. Administrative events include changes to Azure RBAC in a subscription.

High-value hunts include:

• Role assignments at subscription, management group, or resource group scope.
• Custom role creation or permission expansion.
• Network security group, route table, firewall, public IP, or private endpoint changes.
• Key Vault access policy or RBAC changes followed by secret reads.
• Storage account public access, firewall, SAS, or key changes.
• Diagnostic settings removed or redirected.
• Defender for Cloud plans disabled or downgraded.
• Resource locks removed before deletion or modification.

ATT&CK mapping: Permission Groups Discovery, Cloud Infrastructure Discovery, Cloud Service Dashboard, Impair Defenses, Unsecured Credentials, and Cloud Storage Object Discovery.

Threat Foundry tie-in: Field Normalization helps map Azure Activity Log fields such as caller, operationName, resourceId, status, claims, and scope into common entities. That makes generated hunts less brittle when customers send Azure logs through Sentinel, Splunk, Event Hubs, or another pipeline.

3. Microsoft Sentinel and KQL as a Hunt Workbench

Sentinel's hunting model is built for iterative analysis. The hunting dashboard lets teams run all or selected hunting queries, inspect result count changes over 24-hour windows, filter by data source and MITRE ATT&CK tactic or technique, and identify queries that need data sources connected. That is exactly the muscle a cloud hunting program needs: not just alert review, but repeated hypothesis testing.

High-value Sentinel hunt themes include:

• Privileged sign-in followed by Azure RBAC changes.
• New app credential followed by Graph API access.
• Defender for Cloud alert correlated with Activity Log resource changes.
• Suspicious storage access followed by large download or export patterns.
• Guest user invited then granted access to sensitive resources.
• Conditional Access policy changes followed by sign-ins that would previously have been blocked.
• Azure Key Vault secret reads after role assignment changes.

Threat Foundry tie-in: Threat Foundry can generate a behavior-focused hunt from the Cloud matrix, while Query Overrides preserve customer-specific KQL. This matters because real Azure data models differ: some teams use native Sentinel tables, some stream Defender data, some normalize into a SIEM, and some combine sources.

4. Defender XDR and Cross-Domain Hunting

Defender XDR advanced hunting is valuable because Azure incidents often cross domains. A phished user may lead to mailbox rule creation, OAuth consent, endpoint token theft, Entra role changes, and Azure resource access. Defender XDR advanced hunting supports query-based exploration of raw data and can build custom detection rules from the same hunting logic.

High-value cross-domain hunts include:

• Email phishing delivery followed by risky sign-in and Azure portal activity.
• Endpoint credential theft alert followed by Entra token or Azure CLI activity.
• OAuth application consent followed by mailbox or SharePoint access.
• Cloud App anomalies followed by storage or Key Vault access.
• Identity alerts followed by administrative Azure Activity operations.

ATT&CK mapping: Phishing, Valid Accounts, Steal Application Access Token, Email Collection, SharePoint under Data from Information Repositories, and Transfer Data to Cloud Account.

Threat Foundry tie-in: CTI intake can process reporting about phishing, OAuth abuse, token theft, or ransomware in hybrid environments. Sigma Builder can translate reviewed behavior into detection content. Case Workspace can keep email, identity, endpoint, and Azure resource evidence in one timeline.

5. Data Access: Storage, Key Vault, Databases, and Microsoft 365

Azure data access is broad. Storage accounts, blobs, file shares, SQL, Cosmos DB, Key Vault, SharePoint, Exchange, OneDrive, Teams, and third-party SaaS all represent potential collection and exfiltration surfaces. The hunt challenge is correlating access with identity and privilege change.

High-value hunts include:

• Storage account keys listed or regenerated by unusual principals.
• SAS tokens created with broad permissions or long expiration.
• Key Vault secret, key, or certificate reads by new identities.
• SQL firewall or administrator changes followed by database access.
• SharePoint or OneDrive mass download after risky sign-in.
• External sharing expanded for sensitive sites or files.
• Mailbox forwarding, inbox rules, or eDiscovery exports by unusual users.

ATT&CK mapping: Data from Cloud Storage, Data from Information Repositories, Remote Email Collection, Email Forwarding Rule, and Transfer Data to Cloud Account.

Threat Foundry tie-in: Asset Classification helps prioritize hunts around sensitive systems and vendors. CTI Modeling can show repeated ATT&CK concepts and vendors so the team knows whether identity abuse, token theft, cloud storage, or SaaS data theft is becoming the dominant theme.

6. Recovery and Impact

Azure impact can be fast and cloud-native: delete backups, remove resource locks, change immutable storage settings, disable Defender plans, encrypt data, or remove administrator access. A mature hunt program looks for the preconditions of impact.

High-value hunts include:

• Backup vault deletion, soft-delete changes, or retention reduction.
• Resource locks removed shortly before delete operations.
• Key Vault purge protection changed or keys scheduled for deletion.
• Storage immutability or versioning weakened.
• Defender for Cloud or diagnostic settings disabled.
• Mass delete or encryption activity after privilege escalation.

ATT&CK mapping: Inhibit System Recovery, Data Destruction, Data Encrypted for Impact, Account Access Removal, and Impair Defenses.

Threat Foundry tie-in: Attack Path Builder can model the full ransomware-style path: Hybrid Identity abuse, privilege escalation, Cloud Infrastructure Discovery, Data from Cloud Storage, Inhibit System Recovery, and Data Encrypted for Impact. Saved hunts and cases then give leaders a concrete view of what was tested and what evidence exists.

A Practical Azure Hunt Loop

1. Select a Cloud ATT&CK behavior such as Modify Authentication Process, Application Access Token, or Data from Information Repositories.
2. Confirm telemetry: Entra sign-in and audit logs, Azure Activity Logs, Defender XDR, Sentinel tables, Defender for Cloud alerts, and Microsoft 365 audit data.
3. Generate a Threat Foundry hunt using the Cloud matrix.
4. Add KQL-specific Query Overrides.
5. Run the hunt in Sentinel or Defender XDR.
6. Save the hunt, convert strong logic to Sigma, and send evidence to Case Workspace.
7. Record field gaps in Field Normalization so the next hunt is faster.

Azure hunting is strongest when it refuses to separate cloud from identity and SaaS. The adversary does not care whether the evidence lives in Entra, Defender, Sentinel, Activity Logs, or Microsoft 365. The hunt program should follow the behavior across all of them.

Sources

• Microsoft Learn, Hunting capabilities in Microsoft Sentinel.
• Microsoft Learn, Proactively hunt for threats with advanced hunting in Microsoft Defender.
• Microsoft Learn, Azure Activity Log event schema.
• Microsoft Learn, Sign-in logs in Microsoft Entra ID.
• MITRE ATT&CK, Enterprise Cloud Matrix.