HUNT-02 First-seen Source-to-Target Mappings (30d vs 90d)
HUNT 02 AAD Prov First Seen Mappings 30v90d
Query
let Recent =
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| where ResultType =~ "Success"
| extend SourceUpn = tostring(parse_json(SourceIdentity).userPrincipalName),
TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName),
SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize Events = count(), FirstSeen = min(TimeGenerated) by SourceUpn, TargetUpn, SPName
| where Events >= 3;
let Historical =
AADProvisioningLogs
| where TimeGenerated between (ago(90d) .. ago(30d))
| extend SourceUpn = tostring(parse_json(SourceIdentity).userPrincipalName),
TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
| distinct SourceUpn, TargetUpn;
Recent
| join kind=leftanti (Historical) on SourceUpn, TargetUpn
| order by Events descExplanation
This query is designed to identify new identity mappings in Azure Active Directory provisioning logs. Here's a simple breakdown:
-
Purpose: The query aims to find new SourceIdentity to TargetIdentity mappings that have appeared in the last 30 days but did not exist in the 60 days before that. This can help detect new HR feeds, SCIM integrations, or potentially malicious mappings introduced by attackers.
-
Severity: The issue is considered to have a medium severity level.
-
Data Source: It uses data from Azure Active Directory, specifically focusing on provisioning logs.
-
Tactics and Techniques: The query is related to the "Persistence" tactic and the "Create Account" technique (T1136).
-
Query Details:
-
Recent Mappings: It first identifies successful provisioning events in the last 30 days, extracting the user principal names (UPNs) of the source and target identities, as well as the service principal name. It counts the number of events and notes the first time each mapping was seen, filtering for mappings that have occurred at least three times.
-
Historical Mappings: It then looks at the provisioning logs from 30 to 90 days ago to find distinct source-to-target identity pairs that existed during that period.
-
-
Comparison: The query compares the recent mappings with the historical ones to find new mappings that have appeared in the last 30 days but were not present in the previous 60 days.
-
Output: The results are sorted by the number of events in descending order, highlighting the most frequently occurring new mappings.
In summary, this query helps identify new and potentially suspicious identity mappings in Azure Active Directory by comparing recent activity with historical data.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques