KQL Search

Query Details

HUNT 02 AAD Prov First Seen Mappings 30v90d

Query

id: aa1f0002-2002-4202-9202-aadprov-hunt02
name: HUNT-02 First-seen Source-to-Target Mappings (30d vs 90d)
description: |
  Surfaces SourceIdentity -> TargetIdentity provisioning pairs that appeared
  in the last 30 days but had no prior history in the preceding 60 days.
  Useful to detect new HR feeds, new SCIM integrations, or attacker-introduced
  mappings that re-route identity data.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
tactics:
  - Persistence
relevantTechniques:
  - T1136
query: |
  let Recent =
      AADProvisioningLogs
      | where TimeGenerated > ago(30d)
      | where ResultType =~ "Success"
      | extend SourceUpn = tostring(parse_json(SourceIdentity).userPrincipalName),
               TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName),
               SPName    = tostring(parse_json(ServicePrincipal).Name)
      | summarize Events = count(), FirstSeen = min(TimeGenerated) by SourceUpn, TargetUpn, SPName
      | where Events >= 3;
  let Historical =
      AADProvisioningLogs
      | where TimeGenerated between (ago(90d) .. ago(30d))
      | extend SourceUpn = tostring(parse_json(SourceIdentity).userPrincipalName),
               TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
      | distinct SourceUpn, TargetUpn;
  Recent
  | join kind=leftanti (Historical) on SourceUpn, TargetUpn
  | order by Events desc

Explanation

This query is designed to identify new identity mappings in Azure Active Directory provisioning logs. Here's a simple breakdown:

  1. Purpose: The query aims to find new SourceIdentity to TargetIdentity mappings that have appeared in the last 30 days but did not exist in the 60 days before that. This can help detect new HR feeds, SCIM integrations, or potentially malicious mappings introduced by attackers.

  2. Severity: The issue is considered to have a medium severity level.

  3. Data Source: It uses data from Azure Active Directory, specifically focusing on provisioning logs.

  4. Tactics and Techniques: The query is related to the "Persistence" tactic and the "Create Account" technique (T1136).

  5. Query Details:

    • Recent Mappings: It first identifies successful provisioning events in the last 30 days, extracting the user principal names (UPNs) of the source and target identities, as well as the service principal name. It counts the number of events and notes the first time each mapping was seen, filtering for mappings that have occurred at least three times.

    • Historical Mappings: It then looks at the provisioning logs from 30 to 90 days ago to find distinct source-to-target identity pairs that existed during that period.

  6. Comparison: The query compares the recent mappings with the historical ones to find new mappings that have appeared in the last 30 days but were not present in the previous 60 days.

  7. Output: The results are sorted by the number of events in descending order, highlighting the most frequently occurring new mappings.

In summary, this query helps identify new and potentially suspicious identity mappings in Azure Active Directory by comparing recent activity with historical data.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

AzureActiveDirectoryProvisioningLogsSourceIdentityTargetIdentityServicePrincipalTimeGeneratedEventsFirstSeen

Operators

let|where>ago=~extendtostringparse_jsonsummarizecount()min()by>=between..distinctjoinkind=leftantionorder bydesc

Actions