Detection rules › Splunk
Azure AD AzureHound UserAgent Detected
This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1087.004 Account Discovery: Cloud Account, T1526 Cloud Service Discovery |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: Azure AD AzureHound UserAgent Detected
id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
version: 9
creation_date: '2025-01-05'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
data_source:
- Azure Active Directory NonInteractiveUserSignInLogs
- Azure Active Directory MicrosoftGraphActivityLogs
search: |-
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
| rename properties.userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| iplocation src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_azurehound_useragent_detected_filter`
how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details.
known_false_positives: No false positives have been identified at this time.
references:
- https://github.com/SpecterOps/AzureHound
- https://splunkbase.splunk.com/app/3110
- https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Install/
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: AzureHound UserAgent String $user_agent$ Detected on Tenant $dest$
entity:
field: user
type: user
score: 50
threat_objects:
- field: src
type: ip_address
analytic_story:
- Azure Active Directory Privilege Escalation
- Compromised User Account
asset_type: Azure Tenant
mitre_attack_id:
- T1087.004
- T1526
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
sourcetype: azure:monitor:aad
source: Azure AD
test_type: unit
Stages and Predicates
Stage 1: search
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
Stage 2: rename
| rename properties.userAgent as user_agent
Stage 3: fillnull
| fillnull
Stage 4: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
Stage 5: search
| iplocation src
Stage 6: search
| `security_content_ctime(firstTime)`
Stage 7: search
| `security_content_ctime(lastTime)`
Stage 8: search
| `azure_ad_azurehound_useragent_detected_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
category | in |
|
properties.userAgent | eq |
|
sourcetype | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 5 | iplocation |
| 5 | src |