KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Connector Account AAD Activities With Enriched Information

Query

id: 5f1bdb2f-5622-4ab2-bc4b-96cc9ff480c8
name: Activities from AAD connector account with enrichment of IdentityInfo
description: |
  'This hunting query can be used customized as detection or for further investigation of changes which was made by the whitelisted AAD connector account. It allows to find take over or synchronization to user objects with sensitive group membership or assigned AAD roles. This query is also useful to find anomaly of object changes.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - PrivilegeEscalation
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
      | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
  let AADCServer = (_GetWatchlist('HighValueAssets')
      | where ['Tags'] == "Azure AD Connect" | project ['IP Address']);    
  AuditLogs
  | extend ActorAccountObjectId = tostring(parse_json(tostring(InitiatedBy.user)).id)
  | extend ActorAccountIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | extend TargetAccountObjectId = tostring(parse_json(tostring(TargetResources[0])).id)
  | where ActorAccountObjectId in (AADConnectorAcc)
  | join kind=leftouter (IdentityInfo | project AccountObjectId, AccountDisplayName, GroupMembership, AssignedRoles) on $left.TargetAccountObjectId == $right.AccountObjectId
  | project TimeGenerated, ActorAccountObjectId, TargetAccountObjectId, OperationName, TargetUPN = tostring(parse_json(tostring(TargetResources[0])).userPrincipalName), GroupMembership, AssignedRoles, ActorAccountIPAddress
  | extend timestamp = TimeGenerated, IPCustomEntity = ActorAccountIPAddress, AccountCustomEntity = TargetUPN
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:        
      - identifier: Address
        columnName: IPCustomEntity       
version: 1.0.0

Explanation

This query is used to detect and investigate changes made by a whitelisted Azure Active Directory (AAD) connector account. It looks for takeovers or synchronizations of user objects with sensitive group membership or assigned AAD roles. It can also identify anomalies in object changes. The query retrieves audit logs and joins them with identity information to get details about the actor account, target account, operation name, group membership, assigned roles, and IP address. The query is scheduled to run once a day and has a medium severity level. It is relevant to techniques related to credential access, privilege escalation, and initial access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs IdentityInfo

Keywords

AADConnectorAcc,AADCServer,AuditLogs,InitiatedBy,TargetResources,IdentityInfo,TimeGenerated,OperationName,TargetUPN,GroupMembership,AssignedRoles,ActorAccountIPAddress,IPCustomEntity,AccountCustomEntity

Operators

letwhereprojectextendtostringparse_jsoninjoinkind=leftouteron$left.$right.TimeGeneratedActorAccountObjectIdTargetAccountObjectIdOperationNameTargetUPNGroupMembershipAssignedRolesActorAccountIPAddresstimestampIPCustomEntityAccountCustomEntityentityTypefieldMappingsidentifiercolumnName

Actions