legitimate administrative or security assessment activities may use these user-agents, especially in environments where bloodhound is employed for authorized audits. if this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or ip addresses.

t1069
t1082
t1087
t1201
t1526
t1580
T1673
azure
elastic

Techniques

T1069
T1082
T1087
T1201
T1526
T1580
T1673

Sample rules

BloodHound Suite User-Agents Detected

source: elastic
technicques:
- T1069
- T1082
- T1087
- T1201
- T1526
- T1580
- T1673

Description

Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.

Detection logic

any where event.dataset : (
    "azure.activitylogs",
    "azure.graphactivitylogs",
    "azure.auditlogs",
    "azure.signinlogs",
    "o365.audit"
) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*"