KQL Search

Query Details

10 AAD Prov Sync Signin Outside Allowlist

Query

id: 9b1a000a-100a-410a-910a-aadprov0000a
name: Entra Connector Sign-in Outside Allowlisted Public IP
version: 1.0.0
kind: Scheduled
description: |
  Detects successful sign-ins from `Sync_*` / `On-Premises Directory
  Synchronization Service Account` UPNs originating from an IP address that is
  NOT in the `HighValueAssets` watchlist tagged `EntraIDConnect`. The sync
  account should only authenticate from the Entra Connect server's public IP
  range - any other source is either a misconfiguration or active abuse.
  Threshold is a single successful sign-in (any non-allowlisted IP is
  notable), with non-interactive sign-ins included via
  `AADNonInteractiveUserSignInLogs` since sync traffic largely lives there.
  MITRE ATT&CK: T1078.004 (Valid Accounts: Cloud Accounts).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - Persistence
relevantTechniques:
  - T1078
query: |
  // Allowlisted Entra Connect server IPs - falls back to empty set if watchlist missing
  let AllowedIPs =
      _GetWatchlist('EntraConnect_HighValueAssets')
      | where tostring(Tags) has "EntraIDConnect"
      | project IPAddress = tostring(IPAddress);
  let SyncSignIns =
      union isfuzzy=true
        (SigninLogs                          | where TimeGenerated > ago(1h)),
        (AADNonInteractiveUserSignInLogs     | where TimeGenerated > ago(1h))
      | where ResultType == 0
      | where UserPrincipalName startswith "Sync_"
           or UserPrincipalName contains "DirSync"
           or UserDisplayName has "On-Premises Directory Synchronization Service Account";
  SyncSignIns
  | where IPAddress !in (AllowedIPs) or isempty(IPAddress)
  | summarize
      SigninCount  = count(),
      Apps         = make_set(AppDisplayName, 10),
      ClientApps   = make_set(ClientAppUsed, 5),
      UserAgents   = make_set(UserAgent, 5),
      Locations    = make_set(Location, 5),
      FirstSeen    = min(TimeGenerated),
      LastSeen     = max(TimeGenerated)
    by UserPrincipalName, IPAddress
  | order by SigninCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  SigninCount: SigninCount
  Apps: Apps
  Locations: Locations
alertDetailsOverride:
  alertDisplayNameFormat: "Entra Connector {{UserPrincipalName}} signed in from non-allowlisted IP {{IPAddress}}"
  alertDescriptionFormat: "Sync account {{UserPrincipalName}} signed in from {{IPAddress}} ({{SigninCount}} sign-ins) which is not in HighValueAssets:EntraIDConnect. Confirm against Entra Connect server NAT egress."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT24H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially unauthorized sign-ins to an Entra Connector account from IP addresses that are not on an approved list. Here's a simple breakdown:

  1. Purpose: It identifies successful sign-ins from specific synchronization accounts (like Sync_* or On-Premises Directory Synchronization Service Account) that originate from IP addresses not included in a predefined list of allowed IPs. This is important because these accounts should only sign in from specific, known IP ranges associated with the Entra Connect server.

  2. Data Sources: The query uses data from Azure Active Directory sign-in logs, specifically targeting both interactive and non-interactive sign-ins.

  3. Detection Logic:

    • It first retrieves the list of allowed IP addresses from a watchlist tagged as EntraIDConnect.
    • It then checks for any sign-ins from the specified accounts within the last hour.
    • If a sign-in comes from an IP address not on the allowed list, it is flagged as notable.

  4. Output: The query summarizes the findings, showing the number of sign-ins, the applications used, client apps, user agents, locations, and the time range of these sign-ins for each account and IP address combination.

  5. Alerting: If any unauthorized sign-ins are detected, an alert is generated with details about the account and IP address involved. The alert is categorized as high severity due to the potential security risk.

  6. Incident Management: The system is set up to create an incident for each alert, grouping related alerts by account and IP address to help with investigation.

Overall, this query helps in monitoring and securing Entra Connector accounts by ensuring they only authenticate from trusted IP addresses, thereby preventing potential misuse or configuration errors.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

EntraConnectServerIPsSigninLogsAADNon-InteractiveUserSign-InLogsUserPrincipalNameUserDisplayNameIPAddressAppDisplayNameClientAppUsedUserAgentLocationTimeGeneratedAccountAddress

Operators

let_GetWatchlistwheretostringhasprojectunionisfuzzyagostartswithcontainssummarizecountmake_setminmaxbyorderdesc!inisempty

Actions