Query Details

Activities from AAD connector account with enrichment of IdentityInfo

AAD Connector Account AAD Activities With Enriched Information

Query

let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
    | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
let AADCServer = (_GetWatchlist('HighValueAssets')
    | where ['Tags'] == "Azure AD Connect" | project ['IP Address']);    
AuditLogs
| extend ActorAccountObjectId = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend ActorAccountIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend TargetAccountObjectId = tostring(parse_json(tostring(TargetResources[0])).id)
| where ActorAccountObjectId in (AADConnectorAcc)
| join kind=leftouter (IdentityInfo | project AccountObjectId, AccountDisplayName, GroupMembership, AssignedRoles) on $left.TargetAccountObjectId == $right.AccountObjectId
| project TimeGenerated, ActorAccountObjectId, TargetAccountObjectId, OperationName, TargetUPN = tostring(parse_json(tostring(TargetResources[0])).userPrincipalName), GroupMembership, AssignedRoles, ActorAccountIPAddress
| extend timestamp = TimeGenerated, IPCustomEntity = ActorAccountIPAddress, AccountCustomEntity = TargetUPN

Explanation

This query is used to detect and investigate changes made by a whitelisted Azure Active Directory (AAD) connector account. It looks for takeovers or synchronizations of user objects with sensitive group membership or assigned AAD roles. It can also identify anomalies in object changes. The query retrieves audit logs and joins them with identity information to get details about the actor account, target account, operation name, group membership, assigned roles, and IP address. The query is scheduled to run once a day and has a medium severity level. It is relevant to techniques related to credential access, privilege escalation, and initial access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs IdentityInfo

Keywords

AADConnectorAccAADCServerAuditLogsInitiatedByTargetResourcesIdentityInfoTimeGeneratedOperationNameTargetUPNGroupMembershipAssignedRolesActorAccountIPAddressIPCustomEntityAccountCustomEntity

Operators

letwhereprojectextendtostringparse_jsoninjoinkind=leftouteron$left.$right.TimeGeneratedActorAccountObjectIdTargetAccountObjectIdOperationNameTargetUPNGroupMembershipAssignedRolesActorAccountIPAddresstimestampIPCustomEntityAccountCustomEntityentityTypefieldMappingsidentifiercolumnName

Severity

Medium

Tactics

CredentialAccessPrivilegeEscalationInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub