Query Details
04 AAD Prov Privileged Group Change
Query
id: 9b1a0004-1004-4104-9104-aadprov00004
name: Privileged Group Membership Change via Provisioning
version: 1.0.0
kind: Scheduled
description: |
Detects provisioning operations that modify membership of well-known privileged
group names (`Domain Admins`, `Global Administrators`, `Privileged Role
Administrators`, anything matching `*Admin*`, `*Tier0*`, `*Sensitive*`, or
containing `pim-` / `role-` patterns). Provisioning is not a typical channel
for privileged-group membership management - any hit here warrants immediate
investigation. Modifies the AD-side surface of hybrid identity, which is a
documented Entra Connect attack pattern (T1098.003 - Additional Cloud Roles).
MITRE ATT&CK: T1098.003 (Account Manipulation: Additional Cloud Roles),
T1078.004 (Valid Accounts: Cloud Accounts).
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADProvisioningLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1098
query: |
AADProvisioningLogs
| where TimeGenerated > ago(2h)
| where ResultType =~ "Success"
| extend Target = tostring(parse_json(TargetIdentity).displayName)
| extend TargetType = tostring(parse_json(TargetIdentity).IdentityType)
| extend Modified = tostring(ModifiedProperties)
| where TargetType =~ "Group" or Target has_any ("Admin","Tier0","Sensitive","Privileged","PIM")
| where Modified has_any ("members","memberOf","Members","appRoleAssignments","directoryRoles")
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
| extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| project TimeGenerated, JobId, CycleId, ChangeId, SPName,
Initiator = coalesce(InitiatorUpn, InitiatorApp),
TargetGroup = Target,
OperationName, ProvisioningAction, ModifiedProperties
| order by TimeGenerated desc
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: SPName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Initiator
customDetails:
TargetGroup: TargetGroup
OperationName: OperationName
ProvisioningAction: ProvisioningAction
alertDetailsOverride:
alertDisplayNameFormat: "Provisioning modified privileged group '{{TargetGroup}}' via {{SPName}}"
alertDescriptionFormat: "Provisioning service {{SPName}} modified privileged group '{{TargetGroup}}' (action={{ProvisioningAction}}). Privileged-group changes should not flow through the provisioning channel."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT24H
matchingMethod: AnyAlert
groupByEntities:
- CloudApplication
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect changes in membership of privileged groups through provisioning operations, which is unusual and could indicate a security threat. Here's a simple breakdown:
-
Purpose: The query identifies when membership of important security groups (like
Domain Admins,Global Administrators, or any group with names containingAdmin,Tier0,Sensitive, etc.) is altered via provisioning processes. Such changes are not typical and should be investigated immediately. -
Data Source: It uses logs from Azure Active Directory, specifically the
AADProvisioningLogs. -
Frequency: The query runs every hour and checks for changes made in the last two hours.
-
Severity: The alert generated by this query is marked as high severity due to the potential security implications.
-
Detection Logic:
- It looks for successful provisioning operations.
- It checks if the target of these operations is a group with a name indicating high privilege.
- It examines if the changes involve group membership or role assignments.
-
Output: The query lists details like the time of change, the service principal name, the initiator of the change, the target group, and the type of operation performed.
-
Alerting: If such a change is detected, an alert is generated with a specific format, highlighting the service and group involved.
-
Incident Management: The system can create incidents for these alerts, grouping them by the cloud application involved, to help manage and investigate potential security incidents efficiently.
Overall, this query helps in monitoring and securing privileged group memberships by flagging unusual provisioning activities that could be indicative of unauthorized access or privilege escalation attempts.
Details
David Alonso
Released: June 1, 2026
Tables
Keywords
Operators