KQL Search

Query Details

17 AAD Prov Rogue Outbound Provisioning

Query

id: 9b1a0011-1011-4111-9111-aadprov00011
name: Rogue Outbound Provisioning - Mass Create to New Domain
version: 1.0.0
kind: Scheduled
description: |
  Detects bursts of outbound `Create` provisioning operations going to a
  TargetSystem domain or URI that was not present in the prior 30 days, with
  >= 20 target identities in 1 hour. This is the rogue-SCIM exfiltration
  pattern: attacker stands up a malicious SCIM endpoint, wires Entra ID to it,
  and the provisioning service obligingly streams account data outward.
  Distinct from RULE-15 (new TargetSystem detection on any volume) - this rule
  fires on volume + previously-unknown domain.
  MITRE ATT&CK: T1136 (Create Account), T1567 (Exfiltration Over Web Service),
  T1078.004 (Valid Accounts: Cloud Accounts).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - Exfiltration
relevantTechniques:
  - T1136
  - T1567
query: |
  let HistoricalSystems =
      AADProvisioningLogs
      | where TimeGenerated between (ago(14d) .. ago(1h))
      | extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName)
      | where isnotempty(TgtSystem)
      | distinct TgtSystem;
  AADProvisioningLogs
  | where TimeGenerated > ago(1h)
  | where ResultType =~ "Success"
  | where ProvisioningAction =~ "Create"
  | extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
           TgtDetail = tostring(TargetSystem),
           SPName    = tostring(parse_json(ServicePrincipal).Name)
  | where isnotempty(TgtSystem) and TgtSystem !in (HistoricalSystems)
  | summarize
      CreatedCount  = count(),
      DistinctTargets = dcount(TargetIdentity),
      SampleTargets = make_set(tostring(parse_json(TargetIdentity).userPrincipalName), 30),
      FirstSeen     = min(TimeGenerated),
      LastSeen      = max(TimeGenerated)
    by TgtSystem, SPName, TgtDetail
  | where DistinctTargets >= 20
  | order by CreatedCount desc
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: SPName
customDetails:
  TgtSystem: TgtSystem
  CreatedCount: CreatedCount
  SampleTargets: SampleTargets
alertDetailsOverride:
  alertDisplayNameFormat: "Rogue outbound provisioning to {{TgtSystem}} ({{CreatedCount}} accounts)"
  alertDescriptionFormat: "ServicePrincipal {{SPName}} created {{CreatedCount}} accounts against new TargetSystem {{TgtSystem}} in 1h. Possible SCIM-exfiltration / rogue connector."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: AnyAlert
    groupByEntities:
      - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious activity related to outbound provisioning operations in a cloud environment. Here's a simplified explanation:

  1. Purpose: The query identifies bursts of account creation activities directed towards a new domain or URI that hasn't been seen in the last 30 days. This could indicate a potential security threat where an attacker sets up a malicious endpoint to exfiltrate data.

  2. How it Works:

    • It looks at provisioning logs from the last 14 days to identify any new target systems (domains or URIs) that have appeared in the last hour.
    • It specifically checks for successful "Create" actions, which means new accounts are being created.
    • It filters out any target systems that have been seen before in the past 14 days.
    • It counts the number of distinct target identities (accounts) being created. If 20 or more accounts are created in an hour to a new target system, it raises an alert.

  3. Alert Details:

    • The alert will include the name of the service principal (an application or service identity) responsible for the account creation, the number of accounts created, and a sample of the target identities.
    • The alert is categorized as high severity due to the potential for data exfiltration.

  4. Relevance: This query is relevant to tactics such as Persistence and Exfiltration, and it maps to specific MITRE ATT&CK techniques related to account creation and data exfiltration.

  5. Incident Management: If such activity is detected, an incident is created to allow security teams to investigate further. The incidents are grouped by the cloud application involved to streamline the investigation process.

Overall, this query helps in identifying and responding to potential security threats involving unauthorized data transfer to new, potentially malicious endpoints.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

AzureActiveDirectoryAADProvisioningLogsTargetSystemServicePrincipalTargetIdentityCloudApplication

Operators

letbetweenagoextendtostringparse_jsonwhereisnotemptydistinctinsummarizecountdcountmake_setminmaxorder bydesc

Actions