expected red team assessments or penetration tests may utilize bloodhound tools to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user principal names (upns).

t1069
t1082
t1087
t1201
t1526
t1580
T1673
azure
elastic

Techniques

T1069
T1082
T1087
T1201
T1526
T1580
T1673

Sample rules

BloodHound Suite User-Agents Detected

source: elastic
technicques:
- T1069
- T1082
- T1087
- T1201
- T1526
- T1580
- T1673

Description

Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.

Detection logic

any where event.dataset : (
    "azure.activitylogs",
    "azure.graphactivitylogs",
    "azure.auditlogs",
    "azure.signinlogs",
    "o365.audit"
) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*"