Query Details

Rogue Outbound Provisioning - Mass Create to New Domain

17 AAD Prov Rogue Outbound Provisioning

Query

let HistoricalSystems =
    AADProvisioningLogs
    | where TimeGenerated between (ago(14d) .. ago(1h))
    | extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName)
    | where isnotempty(TgtSystem)
    | distinct TgtSystem;
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction =~ "Create"
| extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
         TgtDetail = tostring(TargetSystem),
         SPName    = tostring(parse_json(ServicePrincipal).Name)
| where isnotempty(TgtSystem) and TgtSystem !in (HistoricalSystems)
| summarize
    CreatedCount  = count(),
    DistinctTargets = dcount(TargetIdentity),
    SampleTargets = make_set(tostring(parse_json(TargetIdentity).userPrincipalName), 30),
    FirstSeen     = min(TimeGenerated),
    LastSeen      = max(TimeGenerated)
  by TgtSystem, SPName, TgtDetail
| where DistinctTargets >= 20
| order by CreatedCount desc

Explanation

This query is designed to detect suspicious activity related to outbound provisioning operations in a cloud environment. Here's a simplified explanation:

  1. Purpose: The query identifies bursts of account creation activities directed towards a new domain or URI that hasn't been seen in the last 30 days. This could indicate a potential security threat where an attacker sets up a malicious endpoint to exfiltrate data.

  2. How it Works:

    • It looks at provisioning logs from the last 14 days to identify any new target systems (domains or URIs) that have appeared in the last hour.
    • It specifically checks for successful "Create" actions, which means new accounts are being created.
    • It filters out any target systems that have been seen before in the past 14 days.
    • It counts the number of distinct target identities (accounts) being created. If 20 or more accounts are created in an hour to a new target system, it raises an alert.
  3. Alert Details:

    • The alert will include the name of the service principal (an application or service identity) responsible for the account creation, the number of accounts created, and a sample of the target identities.
    • The alert is categorized as high severity due to the potential for data exfiltration.
  4. Relevance: This query is relevant to tactics such as Persistence and Exfiltration, and it maps to specific MITRE ATT&CK techniques related to account creation and data exfiltration.

  5. Incident Management: If such activity is detected, an incident is created to allow security teams to investigate further. The incidents are grouped by the cloud application involved to streamline the investigation process.

Overall, this query helps in identifying and responding to potential security threats involving unauthorized data transfer to new, potentially malicious endpoints.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

AzureActiveDirectoryAADProvisioningLogsTargetSystemServicePrincipalTargetIdentityCloudApplication

Operators

letbetweenagoextendtostringparse_jsonwhereisnotemptydistinctinsummarizecountdcountmake_setminmaxorder bydesc

Severity

High

Tactics

PersistenceExfiltration

MITRE Techniques

Frequency: 1h

Period: 14d

Actions

GitHub