KQL Search

Query Details

01 AAD Prov Failure Burst

Query

id: 9b1a0001-1001-4101-9101-aadprov00001
name: Provisioning Failure Burst - Single Job
version: 1.0.0
kind: Scheduled
description: |
  Detects a burst of provisioning failures within a single `JobId` (or `CycleId`),
  indicating a possible attack on the provisioning channel: credential rotation
  on the SCIM endpoint, broken connector secret, malicious schema change, or a
  bad-actor cycling through targets that fail validation. Threshold of 30 in 1h
  is set well above normal transient retries while still catching active abuse
  campaigns and outright connector outages.
  MITRE ATT&CK: T1078.004 (Valid Accounts: Cloud Accounts), T1556 (Modify
  Authentication Process), T1098 (Account Manipulation).
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1098
  - T1556
query: |
  AADProvisioningLogs
  | where TimeGenerated > ago(1h)
  | where ResultType =~ "Failure"
  | extend SPName = tostring(parse_json(ServicePrincipal).Name)
  | extend Source = tostring(parse_json(SourceIdentity).IdentityType)
  | extend Target = tostring(parse_json(TargetIdentity).IdentityType)
  | summarize
      Failures        = count(),
      AffectedTargets = dcount(TargetIdentity),
      ErrorCodes      = make_set(ResultSignature, 10),
      ErrorMessages   = make_set(ResultDescription, 10),
      Operations      = make_set(OperationName, 10),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated)
    by JobId, SPName, Source, Target
  // Conservative threshold - normal retry storms rarely exceed 30/hour per job
  | where Failures >= 30
  | order by Failures desc
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: SPName
customDetails:
  Failures: Failures
  AffectedTargets: AffectedTargets
  ErrorCodes: ErrorCodes
alertDetailsOverride:
  alertDisplayNameFormat: "Provisioning Failure Burst on {{SPName}} - {{Failures}} failures"
  alertDescriptionFormat: "Provisioning job {{JobId}} on app {{SPName}} produced {{Failures}} failures in 1h. Investigate connector credentials, schema changes, or target tampering."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: AnyAlert
    groupByEntities:
      - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect unusual bursts of provisioning failures within a specific job or cycle in Azure Active Directory. Here's a simple breakdown:

  • Purpose: The query identifies a high number of provisioning failures (30 or more) within a single hour for a specific job. This could indicate potential issues such as attacks on the provisioning system, credential problems, or malicious activities.

  • Data Source: It uses logs from Azure Active Directory, specifically the AADProvisioningLogs.

  • Process:

    1. It looks at logs from the past hour where the result was a failure.
    2. It extracts and organizes information like the service principal name, source and target identities, error codes, and messages.
    3. It counts the number of failures and identifies unique affected targets and error details.
    4. It filters for jobs with 30 or more failures, which is above normal retry levels.

  • Output: The query orders the results by the number of failures, highlighting the most problematic jobs.

  • Alerting: If such a burst is detected, an alert is generated with details like the job ID, application name, and number of failures. This helps in quickly identifying and investigating potential issues.

  • Severity and Tactics: The alert is marked with medium severity and is linked to tactics like Persistence and Defense Evasion, referencing specific MITRE ATT&CK techniques.

  • Incident Management: If an incident is created, it can be grouped by cloud application, and the system is configured to handle incidents efficiently, without reopening closed ones unless necessary.

Overall, this query helps in monitoring and responding to potential security threats or system issues related to provisioning in Azure Active Directory.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ProvisioningFailuresJobIdCycleIdAttackCredentialRotationSCIMEndpointConnectorSecretSchemaChangeBadActorTargetsValidationAbuseCampaignsConnectorOutagesAzureActiveDirectoryAADProvisioningLogsTimeGeneratedResultTypeServicePrincipalSourceIdentityTargetIdentityFailuresAffectedTargetsErrorCodesErrorMessagesOperationsTimeGeneratedJobIdSPNameSourceTargetCloudApplicationNameSPName

Operators

ago()=~tostring()parse_json()summarizecount()dcount()make_set()min()max()bywhereextendorder by

Actions