Activities from AAD connector account with enrichment of IdentityInfo
AAD Connector Account AAD Activities With Enriched Information
Query
let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
| where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
let AADCServer = (_GetWatchlist('HighValueAssets')
| where ['Tags'] == "Azure AD Connect" | project ['IP Address']);
AuditLogs
| extend ActorAccountObjectId = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend ActorAccountIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend TargetAccountObjectId = tostring(parse_json(tostring(TargetResources[0])).id)
| where ActorAccountObjectId in (AADConnectorAcc)
| join kind=leftouter (IdentityInfo | project AccountObjectId, AccountDisplayName, GroupMembership, AssignedRoles) on $left.TargetAccountObjectId == $right.AccountObjectId
| project TimeGenerated, ActorAccountObjectId, TargetAccountObjectId, OperationName, TargetUPN = tostring(parse_json(tostring(TargetResources[0])).userPrincipalName), GroupMembership, AssignedRoles, ActorAccountIPAddress
| extend timestamp = TimeGenerated, IPCustomEntity = ActorAccountIPAddress, AccountCustomEntity = TargetUPNExplanation
This query is used to detect and investigate changes made by a whitelisted Azure Active Directory (AAD) connector account. It looks for takeovers or synchronizations of user objects with sensitive group membership or assigned AAD roles. It can also identify anomalies in object changes. The query retrieves audit logs and joins them with identity information to get details about the actor account, target account, operation name, group membership, assigned roles, and IP address. The query is scheduled to run once a day and has a medium severity level. It is relevant to techniques related to credential access, privilege escalation, and initial access.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1d
Period: 1d