Rogue Outbound Provisioning - Mass Create to New Domain
17 AAD Prov Rogue Outbound Provisioning
Query
let HistoricalSystems =
AADProvisioningLogs
| where TimeGenerated between (ago(14d) .. ago(1h))
| extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName)
| where isnotempty(TgtSystem)
| distinct TgtSystem;
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction =~ "Create"
| extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
TgtDetail = tostring(TargetSystem),
SPName = tostring(parse_json(ServicePrincipal).Name)
| where isnotempty(TgtSystem) and TgtSystem !in (HistoricalSystems)
| summarize
CreatedCount = count(),
DistinctTargets = dcount(TargetIdentity),
SampleTargets = make_set(tostring(parse_json(TargetIdentity).userPrincipalName), 30),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by TgtSystem, SPName, TgtDetail
| where DistinctTargets >= 20
| order by CreatedCount descExplanation
This query is designed to detect suspicious activity related to outbound provisioning operations in a cloud environment. Here's a simplified explanation:
-
Purpose: The query identifies bursts of account creation activities directed towards a new domain or URI that hasn't been seen in the last 30 days. This could indicate a potential security threat where an attacker sets up a malicious endpoint to exfiltrate data.
-
How it Works:
- It looks at provisioning logs from the last 14 days to identify any new target systems (domains or URIs) that have appeared in the last hour.
- It specifically checks for successful "Create" actions, which means new accounts are being created.
- It filters out any target systems that have been seen before in the past 14 days.
- It counts the number of distinct target identities (accounts) being created. If 20 or more accounts are created in an hour to a new target system, it raises an alert.
-
Alert Details:
- The alert will include the name of the service principal (an application or service identity) responsible for the account creation, the number of accounts created, and a sample of the target identities.
- The alert is categorized as high severity due to the potential for data exfiltration.
-
Relevance: This query is relevant to tactics such as Persistence and Exfiltration, and it maps to specific MITRE ATT&CK techniques related to account creation and data exfiltration.
-
Incident Management: If such activity is detected, an incident is created to allow security teams to investigate further. The incidents are grouped by the cloud application involved to streamline the investigation process.
Overall, this query helps in identifying and responding to potential security threats involving unauthorized data transfer to new, potentially malicious endpoints.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d