Query Details

Bulk Attribute Churn on Privileged Target

05 AAD Prov Attribute Churn Privileged

Query

let PrivilegedUsers =
    IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where isnotempty(AssignedRoles) and AssignedRoles != "[]"
    | project AccountUPN, AssignedRoles;
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction in~ ("Update","Other")
| extend TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
| extend SPName    = tostring(parse_json(ServicePrincipal).Name)
| where isnotempty(TargetUpn)
| join kind=inner (PrivilegedUsers) on $left.TargetUpn == $right.AccountUPN
| mv-expand Mod = todynamic(ModifiedProperties)
| extend PropName = tostring(Mod.displayName),
         OldValue = tostring(Mod.oldValue),
         NewValue = tostring(Mod.newValue)
| where isnotempty(PropName)
| summarize
    AttributesChanged = dcount(PropName),
    Props             = make_set(PropName, 20),
    ChangeId_count    = dcount(ChangeId),
    AssignedRoles     = any(AssignedRoles),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by TargetUpn, SPName
// 5 attribute changes in 1h against a privileged user is highly unusual
| where AttributesChanged >= 5
| order by AttributesChanged desc

Explanation

This query is designed to detect suspicious activity involving privileged user accounts in Azure Active Directory. Here's a simplified breakdown:

  1. Purpose: The query identifies cases where five or more attribute changes are made to a single privileged user account within one hour. This is considered unusual and could indicate a potential account takeover attempt.

  2. Target: It focuses on users with directory roles in Entra ID, which means they have elevated privileges.

  3. Attributes Monitored: The query looks for changes in attributes like ProxyAddresses, UserPrincipalName, OnPremisesImmutableId, MFA phone, MFA email, or OtherMails. These changes could be used by attackers to manipulate account settings or intercept communications.

  4. Data Source: It uses logs from Azure Active Directory provisioning activities to track changes.

  5. Detection Logic:

    • It first identifies privileged users by checking their assigned roles.
    • It then looks at provisioning logs from the past hour to find successful updates or other actions on these users.
    • It counts the number of different attributes changed for each user.
    • If a user has five or more attribute changes within an hour, it flags this as suspicious.
  6. Alerting: If such activity is detected, an alert is generated with details about the user, the service principal involved, and the specific attributes changed. This alert is considered high severity due to the potential risk of account takeover.

  7. Incident Management: The system can automatically create an incident for further investigation, grouping related alerts to provide a comprehensive view of the potential threat.

Overall, this query helps security teams quickly identify and respond to potential security threats involving privileged accounts in their Azure environment.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

IdentityInfoAADProvisioningLogs

Keywords

AzureActiveDirectoryAADProvisioningLogsIdentityInfoAccountCloudApplicationUserServicePrincipalAttributesRoles

Operators

letwhereagosummarizearg_maxisnotemptyprojectin~tostringparse_jsonjoinkindonmv-expandtodynamicextenddcountmake_setanyminmaxbyorderdesc

Severity

High

Tactics

PersistencePrivilegeEscalationDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub