Attacked more than x times average

Hunt Hypothesis

Users who have been attacked more than the average number of times may indicate targeted attacks or compromised accounts, as adversaries often reuse credentials or exploit known vulnerabilities to repeatedly compromise the same user. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or persistent access attempts early.

KQL Query

let AverageThreatPerRecipient = toscalar(EmailEvents 
| where DetectionMethods != "" 
| summarize total=count() by RecipientEmailAddress 
| summarize avg(total)); 
EmailEvents 
| where DetectionMethods != "" 
| summarize total=count() by RecipientEmailAddress 
| where tolong(total) >= 1*AverageThreatPerRecipient // update "1"

Analytic Rule Definition

id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
name: Attacked more than x times average
description: |
  This query helps reviewing count of users attacked more than x times average.
description-detailed: |
  This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let AverageThreatPerRecipient = toscalar(EmailEvents 
  | where DetectionMethods != "" 
  | summarize total=count() by RecipientEmailAddress 
  | summarize avg(total)); 
  EmailEvents 
  | where DetectionMethods != "" 
  | summarize total=count() by RecipientEmailAddress 
  | where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Top Attacks/Attacked more than x times average.yaml)

False Positive Guidance

Scenario: Scheduled system backup job triggers multiple authentication attempts
Filter/Exclusion: Exclude activity related to the backup tool (e.g., tool_name = "Veeam" or job_name = "daily_backup")
Scenario: Admin performing bulk user provisioning via an identity management tool
Filter/Exclusion: Exclude events where the user is a domain admin or has a role like admin or identity_admin
Scenario: Automated log collection or monitoring tool polling multiple endpoints
Filter/Exclusion: Exclude events from the log aggregation tool (e.g., tool_name = "Splunk" or source = "syslog")
Scenario: Regularly scheduled compliance or audit checks by a security tool
Filter/Exclusion: Exclude events from the compliance tool (e.g., tool_name = "Microsoft Defender for Identity") or with a task_type = "audit"
Scenario: User accessing multiple systems during a multi-step administrative task
Filter/Exclusion: Exclude users with elevated privileges (e.g., user_role = "domain_admin") or those performing known administrative tasks (e.g., task_name = "patch_management")