KQL Search

Query Details

HUNT 03 AAD Prov Sync Signin Outside IP 14d

Query

id: aa1f0003-2003-4203-9203-aadprov-hunt03
name: HUNT-03 Sync Account Sign-ins Outside Entra Connect IP (14d)
description: |
  14-day history of Entra Connector sign-ins not originating from the
  allowlisted public IPs in HighValueAssets:EntraIDConnect. Includes both
  interactive (SigninLogs) and non-interactive (AADNonInteractiveUserSignInLogs)
  - most legitimate sync traffic lives in the latter.
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
      - AADNonInteractiveUserSignInLogs
tactics:
  - InitialAccess
relevantTechniques:
  - T1078.004
query: |
  let AllowedIPs =
      _GetWatchlist('EntraConnect_HighValueAssets')
      | where tostring(Tags) has "EntraIDConnect"
      | project IPAddress = tostring(IPAddress);
  union isfuzzy=true
    (SigninLogs                      | where TimeGenerated > ago(14d)),
    (AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(14d))
  | where ResultType == 0
  | where UserPrincipalName startswith "Sync_"
       or UserPrincipalName contains "DirSync"
       or UserDisplayName has "On-Premises Directory Synchronization Service Account"
  | where IPAddress !in (AllowedIPs)
  | summarize
      SigninCount = count(),
      Apps        = make_set(AppDisplayName, 10),
      Locations   = make_set(Location, 5),
      Days        = dcount(startofday(TimeGenerated)),
      FirstSeen   = min(TimeGenerated),
      LastSeen    = max(TimeGenerated)
    by UserPrincipalName, IPAddress
  | order by SigninCount desc

Explanation

This query is designed to identify suspicious sign-in activities related to Entra Connector accounts over the past 14 days. Here's a simplified breakdown:

  1. Purpose: The query checks for sign-ins from Entra Connector accounts that are not coming from approved IP addresses. These accounts are typically used for directory synchronization.

  2. Data Sources: It uses two types of logs:

    • SigninLogs: For interactive sign-ins.
    • AADNonInteractiveUserSignInLogs: For non-interactive sign-ins, which is where most legitimate sync traffic occurs.

  3. Allowed IPs: It references a watchlist named 'EntraConnect_HighValueAssets' to get a list of approved IP addresses tagged with "EntraIDConnect".

  4. Filtering Criteria:

    • Only considers sign-ins from the last 14 days.
    • Looks for successful sign-ins (ResultType == 0).
    • Targets accounts with names starting with "Sync_", containing "DirSync", or having a display name related to directory synchronization.
    • Excludes sign-ins from the allowed IP addresses.

  5. Output:

    • Counts the number of sign-ins per account and IP address.
    • Lists up to 10 different applications accessed and up to 5 locations from which sign-ins originated.
    • Tracks the number of days with sign-ins, and records the first and last time a sign-in was detected.

  6. Severity and Tactics:

    • The severity is marked as high, indicating a significant security concern.
    • It relates to the "Initial Access" tactic and technique T1078.004, which involves compromised accounts.

The query ultimately helps identify potentially unauthorized access attempts by sync accounts from unexpected locations, which could indicate a security breach.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

EntraConnectorSigninsIPHighValueAssetsEntraIDConnectSigninLogsAADNonInteractiveUserSignInLogsAzureActiveDirectoryInitialAccessSyncUserPrincipalNameUserDisplayNameOnPremisesDirectorySynchronizationServiceAccountIPAddressAppsLocationsDaysFirstSeenLastSeen

Operators

let_GetWatchlistwheretostringhasprojectunionisfuzzyagostartswithcontainssummarizecountmake_setdcountstartofdayminmaxbyorderdesc

Actions