KQL Search

Query Details

09 AAD Prov Password Reset Sync Account

Query

id: 9b1a0009-1009-4109-9109-aadprov00009
name: Password Reset on Entra Connector Account
version: 1.0.0
kind: Scheduled
description: |
  Detects password reset events against the Entra Connector service account
  (member of `Directory Synchronization Accounts` role or matching `Sync_*`
  naming pattern). Per the Cloud-Architekt playbook, a password reset on the
  sync account is either a legitimate ops-driven rotation (rare and scheduled)
  or an attacker rotating to a known value to take control. Either way the
  SOC must verify.
  MITRE ATT&CK: T1098.001 (Account Manipulation: Additional Cloud Credentials),
  T1078.004 (Valid Accounts: Cloud Accounts).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - PrivilegeEscalation
relevantTechniques:
  - T1098
query: |
  AuditLogs
  | where TimeGenerated > ago(1d)
  | where OperationName has_any (
        "Reset user password",
        "Reset password (by admin)",
        "Reset password",
        "Change user password",
        "Update user",
        "Update StsRefreshTokenValidFrom Timestamp"
    )
  | mv-expand TargetResources
  | extend TargetUpn = tostring(TargetResources.userPrincipalName)
  | extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
  | extend Actor     = coalesce(Initiator, tostring(InitiatedBy.app.displayName))
  | extend SourceIP  = tostring(InitiatedBy.user.ipAddress)
  | where TargetUpn startswith "Sync_"
       or TargetUpn contains "DirSync"
       or TargetUpn has "On-Premises Directory Synchronization"
       or tostring(TargetResources.displayName) has "On-Premises Directory Synchronization Service Account"
  | project TimeGenerated, OperationName, Actor, SourceIP, TargetUpn,
            ModifiedProperties = tostring(TargetResources.modifiedProperties), Result
  | order by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: TargetUpn
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Actor
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIP
customDetails:
  Operation: OperationName
  Actor: Actor
  Target: TargetUpn
alertDetailsOverride:
  alertDisplayNameFormat: "Password reset on Entra Connector account {{TargetUpn}}"
  alertDescriptionFormat: "{{OperationName}} performed by {{Actor}} against sync account {{TargetUpn}}. Confirm change ticket."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT24H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect password reset events on specific service accounts related to directory synchronization in Azure Active Directory. Here's a simplified breakdown:

  1. Purpose: The query identifies password reset activities on accounts used for directory synchronization, which are critical for maintaining the connection between on-premises directories and Azure AD. These accounts typically have names starting with "Sync_" or contain "DirSync".

  2. Why It's Important: A password reset on these accounts could indicate either a legitimate maintenance activity or a potential security threat where an attacker is trying to gain control. Therefore, any such event needs to be verified by the Security Operations Center (SOC).

  3. Data Source: The query uses data from Azure Active Directory's AuditLogs, focusing on events related to password resets and user updates.

  4. Frequency and Scope: The query runs every hour and looks back over the past day to catch any relevant events.

  5. Severity and Tactics: The alert generated by this query is considered high severity, as it relates to persistence and privilege escalation tactics, which are part of the MITRE ATT&CK framework.

  6. Details Captured: For each event, the query captures details such as the time of the event, the operation performed, the actor (who initiated the action), the source IP address, and the target account.

  7. Alerting and Incident Management: If any such event is detected, an alert is generated with specific details about the operation and the involved accounts. The system is configured to create an incident for further investigation, grouping related alerts to streamline the response process.

Overall, this query is a proactive measure to ensure that any changes to critical synchronization accounts are legitimate and authorized, helping to prevent unauthorized access and potential security breaches.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameTargetResourcesUserPrincipalNameInitiatedByAppDisplayNameIpAddressDirectorySynchronizationServiceAccountModifiedPropertiesResultAccountFullNameAddressOperationActorTargetAlertDisplayNameFormatAlertDescriptionFormatAlertSeverityColumnNameAlertTacticsColumnNameIncidentConfigurationCreateIncidentGroupingConfigurationReopenClosedIncidentLookbackDurationMatchingMethodGroupByEntitiesGroupByAlertDetailsGroupByCustomDetails

Operators

agohas_anymv-expandextendtostringcoalescestartswithcontainshasprojectorder by

Actions