HUNT-03 Sync Account Sign-ins Outside Entra Connect IP (14d)
HUNT 03 AAD Prov Sync Signin Outside IP 14d
Query
let AllowedIPs =
_GetWatchlist('EntraConnect_HighValueAssets')
| where tostring(Tags) has "EntraIDConnect"
| project IPAddress = tostring(IPAddress);
union isfuzzy=true
(SigninLogs | where TimeGenerated > ago(14d)),
(AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(14d))
| where ResultType == 0
| where UserPrincipalName startswith "Sync_"
or UserPrincipalName contains "DirSync"
or UserDisplayName has "On-Premises Directory Synchronization Service Account"
| where IPAddress !in (AllowedIPs)
| summarize
SigninCount = count(),
Apps = make_set(AppDisplayName, 10),
Locations = make_set(Location, 5),
Days = dcount(startofday(TimeGenerated)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, IPAddress
| order by SigninCount descExplanation
This query is designed to identify suspicious sign-in activities related to Entra Connector accounts over the past 14 days. Here's a simplified breakdown:
-
Purpose: The query checks for sign-ins from Entra Connector accounts that are not coming from approved IP addresses. These accounts are typically used for directory synchronization.
-
Data Sources: It uses two types of logs:
- SigninLogs: For interactive sign-ins.
- AADNonInteractiveUserSignInLogs: For non-interactive sign-ins, which is where most legitimate sync traffic occurs.
-
Allowed IPs: It references a watchlist named 'EntraConnect_HighValueAssets' to get a list of approved IP addresses tagged with "EntraIDConnect".
-
Filtering Criteria:
- Only considers sign-ins from the last 14 days.
- Looks for successful sign-ins (ResultType == 0).
- Targets accounts with names starting with "Sync_", containing "DirSync", or having a display name related to directory synchronization.
- Excludes sign-ins from the allowed IP addresses.
-
Output:
- Counts the number of sign-ins per account and IP address.
- Lists up to 10 different applications accessed and up to 5 locations from which sign-ins originated.
- Tracks the number of days with sign-ins, and records the first and last time a sign-in was detected.
-
Severity and Tactics:
- The severity is marked as high, indicating a significant security concern.
- It relates to the "Initial Access" tactic and technique T1078.004, which involves compromised accounts.
The query ultimately helps identify potentially unauthorized access attempts by sync accounts from unexpected locations, which could indicate a security breach.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques