Query Details

HUNT-01 Provisioning Failures by Job and Error (30d)

HUNT 01 AAD Prov Failures By Job Error 30d

Query

AADProvisioningLogs
| where TimeGenerated > ago(30d)
| where ResultType =~ "Failure"
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize
    Failures        = count(),
    AffectedTargets = dcount(TargetIdentity),
    ErrorMessages   = make_set(ResultDescription, 5),
    Operations      = make_set(OperationName, 10),
    DistinctDays    = dcount(startofday(TimeGenerated)),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by JobId, SPName, ResultSignature
| where Failures >= 10
| extend Sustained = DistinctDays >= 3
| order by Failures desc

Explanation

This query is designed to analyze provisioning failures in Azure Active Directory over the past 30 days. It focuses on identifying persistent issues, potential malicious activities, and schema-related errors. Here's a simple breakdown:

  1. Data Source: It uses logs from Azure Active Directory, specifically the provisioning logs.

  2. Time Frame: The analysis covers the last 30 days.

  3. Filter: It looks for entries where the result was a "Failure".

  4. Data Extraction: For each failure, it extracts the name of the service principal involved.

  5. Aggregation: The query groups the failures by Job ID, Service Principal Name, and error signature. It calculates:

    • Total number of failures.
    • Number of unique affected targets.
    • A set of error messages (up to 5).
    • A set of operations involved (up to 10).
    • Number of distinct days the failures occurred.
    • The first and last occurrence of the failures.
  6. Threshold: It only considers groups with 10 or more failures.

  7. Sustained Issues: It flags issues that occurred on at least 3 different days.

  8. Output: The results are ordered by the number of failures, showing the most frequent issues first.

This query helps in identifying recurring problems, potential security threats, and operational anomalies in the provisioning process.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

AzureActiveDirectoryAADProvisioningLogsServicePrincipalJobIdTargetIdentityResultDescriptionOperationNameTimeGenerated

Operators

whereextendsummarizedcountmake_setminmaxbyorder bytostringparse_jsonagostartofday

Severity

Medium

Tactics

DefenseEvasion

MITRE Techniques

Actions

GitHub