Query Details

Successful sign-ins from valid AAD connector account outside of whitelisted IP address from WatchList

AAD Connect Sign Ins Outside Server IP

Query

let AADCServer = (_GetWatchlist('HighValueAssets')
    | where ['Tags'] == "Azure AD Connect" | project ['IP Address']);
let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
    | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
// AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
| where (UserId in (AADConnectorAcc) or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8" or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1") and IPAddress !in (AADCServer)
| where ResultType == "0"
| project TimeGenerated,Category,UserPrincipalName, AppDisplayName, AppId, IPAddress, RiskState
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName

Explanation

This query detects successful sign-ins from a valid Azure Active Directory (AAD) connector account outside of a whitelisted IP address. It uses two watchlists, "Service Accounts" and "High Value Assets", to identify the AAD connector account and the whitelisted IP address. The query covers sign-ins to AAD Connect Endpoints (Azure AD Sync and AAD Connect V2) and checks if they match the watchlist. The query frequency is once per day, and the severity is medium. The relevant techniques include Credential Access, Privilege Escalation, and Initial Access. The query retrieves specific fields from the sign-in logs and maps them to account and IP entities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogsHighValueAssetsServiceAccounts

Keywords

DevicesIntuneUserAAD connectorIP addressWatchListSign-in logsAADNonInteractiveUserSignInLogsAAD ConnectAzure AD SyncAAD Connect V2TagsAccountObjectIdUserIdAppIdResultTypeTimeGeneratedCategoryUserPrincipalNameAppDisplayNameIPAddressRiskStatetimestampIPCustomEntityAccountCustomEntityFullNameAddress

Operators

letwhereprojectunionisfuzzyinorand!inResultTypeextend

Severity

Medium

Tactics

CredentialAccessPrivilegeEscalationInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub