Elastic Security Detection Rules

BloodHound Suite User-Agents Detected

Last updated 21 days ago on 2025-06-03
Created 21 days ago on 2025-06-03

About

Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.
Tags
Domain: CloudData Source: AzureData Source: Azure Activity LogsData Source: Graph APIData Source: Graph API Activity LogsData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsData Source: Microsoft Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: DiscoveryLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

Permission Groups Discovery (T1069)(opens in a new tab or window)

System Information Discovery (T1082)(opens in a new tab or window)

Account Discovery (T1087)(opens in a new tab or window)

Password Policy Discovery (T1201)(opens in a new tab or window)

Cloud Service Discovery (T1526)(opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Virtual Machine Discovery (T1673)(opens in a new tab or window)

False Positive Examples
Legitimate administrative or security assessment activities may use these user-agents, especially in environments where BloodHound is employed for authorized audits. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or IP addresses. Expected red team assessments or penetration tests may utilize BloodHound tools to evaluate the security posture of Azure or Microsoft 365 environments. If this is expected behavior, consider adjusting the rule or adding exceptions for specific IP addresses, registered applications, JWT tokens, PRTs or user principal names (UPNs).
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.*logs-o365.audit-*
Related Integrations

azure(opens in a new tab or window)

o365(opens in a new tab or window)

Query
any where event.dataset : (
    "azure.activitylogs",
    "azure.graphactivitylogs",
    "azure.auditlogs",
    "azure.signinlogs",
    "o365.audit"
) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*"

Install detection rules in Elastic Security

Detect BloodHound Suite User-Agents Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).