KQL Search

Query Details

03 AAD Prov Mass Deletion

Query

id: 9b1a0003-1003-4103-9103-aadprov00003
name: Mass User Deletion via Provisioning
version: 1.0.0
kind: Scheduled
description: |
  Detects 5 or more `Delete` (or `StagedDelete`) provisioning actions completing
  successfully against Entra ID user objects within 1 hour. Deletion via the
  provisioning channel is rare under normal operations - lifecycle workflows
  typically `Disable` first and only purge after retention windows. A burst of
  deletions over the provisioning path is a strong signal of either a runaway
  HR feed (data-integrity issue) or deliberate destruction.
  MITRE ATT&CK: T1531 (Account Access Removal), T1485 (Data Destruction),
  T1078.004 (Valid Accounts: Cloud Accounts).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
relevantTechniques:
  - T1531
  - T1485
query: |
  AADProvisioningLogs
  | where TimeGenerated > ago(1h)
  | where ResultType =~ "Success"
  | where ProvisioningAction in~ ("Delete", "StagedDelete")
       or OperationName has_any ("Delete", "Remove")
  | extend SPName = tostring(parse_json(ServicePrincipal).Name)
  | extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
  | extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
  | extend TargetUpn    = tostring(parse_json(TargetIdentity).userPrincipalName)
  | summarize
      DeletedCount = count(),
      Targets      = make_set(TargetUpn, 30),
      Jobs         = make_set(JobId, 10),
      Initiators   = make_set(coalesce(InitiatorUpn, InitiatorApp), 5),
      FirstSeen    = min(TimeGenerated),
      LastSeen     = max(TimeGenerated)
    by SPName
  // Conservative: 5/hour is well above legitimate scheduled-purge spikes
  | where DeletedCount >= 5
  | order by DeletedCount desc
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: SPName
customDetails:
  DeletedCount: DeletedCount
  Initiators: Initiators
  Targets: Targets
alertDetailsOverride:
  alertDisplayNameFormat: "Mass user deletion via provisioning - {{DeletedCount}} accounts ({{SPName}})"
  alertDescriptionFormat: "Provisioning service {{SPName}} deleted {{DeletedCount}} users in 1h. Confirm against lifecycle/HR purge schedule."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT8H
    matchingMethod: AnyAlert
    groupByEntities:
      - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect unusual activity in Azure Active Directory (AAD) where five or more user accounts are deleted via provisioning actions within a one-hour period. Normally, user accounts are disabled first and only deleted after a retention period, so a sudden spike in deletions could indicate a problem, such as an error in data processing or a malicious attempt to remove accounts.

Here's a simple breakdown of the query:

  1. Purpose: To identify when five or more user accounts are deleted through provisioning actions in AAD within an hour, which is considered abnormal.

  2. Data Source: It uses logs from Azure Active Directory, specifically the AADProvisioningLogs.

  3. Conditions:

    • The action must have occurred in the last hour.
    • The result of the action must be successful.
    • The action type should be either "Delete" or "StagedDelete".

  4. Output:

    • Counts the number of deletions.
    • Lists the user accounts affected.
    • Identifies who initiated the deletions.
    • Records the time range during which these deletions occurred.

  5. Alerting:

    • If five or more deletions are detected, an alert is triggered.
    • The alert includes details like the number of accounts deleted and the service responsible.

  6. Severity and Tactics:

    • The severity of this alert is marked as high.
    • It relates to tactics like account access removal and data destruction, as per MITRE ATT&CK framework.

  7. Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents are grouped by the cloud application responsible for the deletions.

This query helps in monitoring and responding to potential security threats or operational issues related to user account management in Azure Active Directory.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

EntraIDUserProvisioningDeletionAzureActiveDirectoryCloudApplication

Operators

ago()=~in~has_any()tostring()parse_json()summarizecount()make_set()coalesce()min()max()by>=order bydesc

Actions