Detect credential add to Connect Sync Application
Detect Cred Add To Connect Sync Application
Query
// Flag adding credential that does not look like a renewal
let base = materialize (
AuditLogs
// Search events happening on the Sync Account
| extend AppName = tostring(TargetResources[0].displayName)
| where AppName startswith "ConnectSyncProvisioning_"
// Only get cretificate or secret changes
| where OperationName has_any ("Add service principal", "Certificates and secrets management", "Update application")
// Expand the target resources and modified properties, and only use events ralted to KeyDescription
| mv-expand TargetResources
| extend ModifiedProperties = TargetResources.modifiedProperties
| mv-expand ModifiedProperties
| where ModifiedProperties.displayName == "KeyDescription"
// Save the old and new values of the secrets on the application
| extend OldValue = tostring(ModifiedProperties.oldValue),
NewValue = tostring(ModifiedProperties.newValue)
// Save the old and new credential names in an array
| extend OldCredentialNames = extract_all(@"DisplayName=([^\]]+)", dynamic([1]), OldValue),
NewCredentialNames = extract_all(@"DisplayName=([^\]]+)", dynamic([1]), NewValue)
);
let newCredsAdd = (
base
// Flag when there are more new credentials than old ones
| where array_length(OldCredentialNames) < array_length(NewCredentialNames)
| project-rename NewCredAddTimeGenerated = TimeGenerated
);
let credRemove = (
base
// Get events where credentials are being removed
| where array_length(OldCredentialNames) > array_length(NewCredentialNames)
| project-rename CredRemoveTimeGenerated = TimeGenerated
);
// Only flag when credentials are added without another being removed for the same application within a small time window
// This excludes a normal renewal process
newCredsAdd
| join kind=leftouter credRemove on AppName
| where CredRemoveTimeGenerated - NewCredAddTimeGenerated > 1m
| project NewCredAddTimeGenerated, CredRemoveTimeGenerated, OperationName, AdditionalDetails, InitiatedBy, AppName, ModifiedProperties, OldCredentialNames, NewCredentialNamesAbout this query
Explanation
This query is designed to detect suspicious activities related to the addition of credentials to the Connect Sync Application in Entra ID. It focuses on identifying potential unauthorized access attempts by monitoring changes in certificates, client secrets, and federated credentials. The query specifically looks for instances where new credentials are added without a corresponding removal of old credentials within a short time frame, which would typically indicate a legitimate renewal process. By doing so, it aims to flag potentially malicious activities where an attacker might be trying to maintain access to Entra ID through a compromised account. The query is part of a security measure to prevent unauthorized persistence in cloud environments.
Details

Robbe Van den Daele
Released: October 5, 2025
Tables
Keywords
Operators