KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Connect Sign Ins Outside Server IP

Query

id: 12531591-8392-4b4c-b117-485216bbf577
name: Successful sign-ins from valid AAD connector account outside of whitelisted IP address from WatchList
description: |
  'Detection of sign-ins outside of a named public IP addresses. We're AccountObject ID from the "Service Accounts" watchlist to detect any sign-ins outside of the named IP address which is defined in the "High Value Asses" watchlist. Furthermore, we're covering all sign-ins to the AAD Connect Endpoints (Azure AD Sync and AAD Connect V2) to detect sign-ins that doesn't match with the WatchList.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - PrivilegeEscalation
  - InitialAccess
relevantTechniques:
  - T1078
  - T1528
query: |
  let AADCServer = (_GetWatchlist('HighValueAssets')
      | where ['Tags'] == "Azure AD Connect" | project ['IP Address']);
  let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
      | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
  union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
  // AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
  | where (UserId in (AADConnectorAcc) or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8" or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1") and IPAddress !in (AADCServer)
  | where ResultType == "0"
  | project TimeGenerated,Category,UserPrincipalName, AppDisplayName, AppId, IPAddress, RiskState
  | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Explanation

This query detects successful sign-ins from a valid Azure Active Directory (AAD) connector account outside of a whitelisted IP address. It uses two watchlists, "Service Accounts" and "High Value Assets", to identify the AAD connector account and the whitelisted IP address. The query covers sign-ins to AAD Connect Endpoints (Azure AD Sync and AAD Connect V2) and checks if they match the watchlist. The query frequency is once per day, and the severity is medium. The relevant techniques include Credential Access, Privilege Escalation, and Initial Access. The query retrieves specific fields from the sign-in logs and maps them to account and IP entities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogsHighValueAssetsServiceAccounts

Keywords

Devices,Intune,User,AADconnector,IPaddress,WatchList,Sign-inlogs,AADNonInteractiveUserSignInLogs,AADConnect,AzureADSync,AADConnectV2,Tags,AccountObjectId,UserId,AppId,ResultType,TimeGenerated,Category,UserPrincipalName,AppDisplayName,IPAddress,RiskState,timestamp,IPCustomEntity,AccountCustomEntity,FullName,Address

Operators

letwhereprojectunionisfuzzyinorand!inResultTypeextend

Actions