KQL Search

Query Details

12 AAD Prov Sync Account Outside Watchlist

Query

id: 9b1a000c-100c-410c-910c-aadprov0000c
name: Sync Account Outside ServiceAccounts Watchlist
version: 1.0.0
kind: Scheduled
description: |
  Detects user objects assigned the `Directory Synchronization Accounts` role
  (per `IdentityInfo`) or matching the `Sync_*` / `On-Premises Directory
  Synchronization Service Account` naming pattern that are NOT present in the
  `ServiceAccounts` watchlist tagged `EntraIDConnect`. Per the Cloud-Architekt
  playbook, this is the indicator-of-backdoor pattern: an attacker creating
  a new sync account to maintain persistence while staying invisible to SOC
  watchlists.
  MITRE ATT&CK: T1136.003 (Create Account: Cloud Account), T1098.001
  (Account Manipulation: Additional Cloud Credentials).
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 12h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1136
  - T1098
query: |
  let ApprovedSyncAccounts =
      _GetWatchlist('EntraConnect_ServiceAccounts')
      | where tostring(Tags) has "EntraIDConnect"
      | project AccountObjectId = tostring(AccountObjectId);
  IdentityInfo
  | where TimeGenerated > ago(14d)
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles has_any (
        "Directory Synchronization Accounts",
        "On Premises Directory Sync Account"
    )
      or AccountUPN startswith "Sync_"
      or AccountDisplayName has "On-Premises Directory Synchronization Service Account"
  | where AccountObjectId !in (ApprovedSyncAccounts)
  | project AccountUPN, AccountObjectId, AccountDisplayName, AssignedRoles,
            AccountCreationTime, IsAccountEnabled
  | order by AccountCreationTime desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountUPN
      - identifier: AadUserId
        columnName: AccountObjectId
customDetails:
  AssignedRoles: AssignedRoles
  AccountCreationTime: AccountCreationTime
  IsAccountEnabled: IsAccountEnabled
alertDetailsOverride:
  alertDisplayNameFormat: "Unapproved sync account detected: {{AccountUPN}}"
  alertDescriptionFormat: "Account {{AccountUPN}} carries DirSync role / naming but is missing from ServiceAccounts:EntraIDConnect watchlist. Investigate for backdoor or update watchlist."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P1D
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially unauthorized synchronization accounts in an Azure Active Directory environment. Here's a simplified explanation:

  1. Purpose: The query identifies user accounts that have been assigned roles related to directory synchronization or have names suggesting they are sync accounts. It checks if these accounts are not listed in a specific watchlist of approved service accounts.

  2. Watchlist: It uses a watchlist named EntraConnect_ServiceAccounts to identify approved sync accounts. Accounts in this list are tagged with EntraIDConnect.

  3. Detection Criteria:

    • Accounts with roles like "Directory Synchronization Accounts" or "On Premises Directory Sync Account".
    • Accounts with usernames starting with "Sync_" or display names containing "On-Premises Directory Synchronization Service Account".
    • Accounts not found in the approved watchlist are flagged.

  4. Timeframe: The query looks at data from the past 14 days and runs every 12 hours.

  5. Alerting: If any unapproved sync accounts are detected, an alert is generated. The alert includes details like the account's username, roles, creation time, and whether the account is enabled.

  6. Security Implication: This is considered a medium-severity alert because such accounts could indicate a backdoor created by an attacker to maintain access while avoiding detection by security operations center (SOC) watchlists.

  7. MITRE ATT&CK Techniques: The query is associated with techniques T1136.003 (Create Account: Cloud Account) and T1098.001 (Account Manipulation: Additional Cloud Credentials), which relate to persistence tactics.

  8. Incident Management: If an alert is triggered, an incident is created, and similar alerts are grouped together for easier management.

Overall, this query helps in identifying unauthorized sync accounts that could be used for malicious purposes, ensuring that only approved accounts are used for directory synchronization.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

IdentityInfo

Keywords

AzureActiveDirectoryAuditLogsIdentityInfoAccountServiceAccountsEntraIDConnectDirectorySynchronizationAccountsOnPremisesDirectorySyncAccountSyncOn-PremisesDirectorySynchronizationServiceAccount

Operators

let_GetWatchlistwheretostringhasprojectsummarizearg_maxbyhas_anystartswith!inorder by

Actions