LoFP / expected red team assessments or penetration tests may utilize bloodhound tools to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user principal names (upns).

Techniques

• T1069
• T1082
• T1087
• T1201
• T1526
• T1580
• T1673

Sample rules

Entra ID Sign-in BloodHound Suite User-Agent Detected

• source: elastic
• technicques:
  • T1069
  • T1082
  • T1087
  • T1201
  • T1526
  • T1580
  • T1673

Description

Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.

Detection logic

any where event.dataset : (
    "azure.activitylogs",
    "azure.graphactivitylogs",
    "azure.auditlogs",
    "azure.signinlogs",
    "o365.audit"
) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*"