Query Details
HUNT 04 AAD Prov Sync Account Activities 30d
Query
id: aa1f0004-2004-4204-9204-aadprov-hunt04
name: HUNT-04 Entra Connector Activities Enriched with IdentityInfo (30d)
description: |
30-day audit-log activities performed by the Entra Connector account,
enriched with role assignment data from IdentityInfo. Surfaces takeover
attempts (`Update user`, `Reset password`, group-membership writes) targeted
at sensitive role members, which is the classic sync-account abuse pattern.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098
query: |
let SyncAccounts =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (
"Directory Synchronization Accounts",
"On Premises Directory Sync Account"
)
or AccountUPN startswith "Sync_"
| project SyncUpn = AccountUPN, SyncObjectId = AccountObjectId;
let PrivilegedUsers =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where isnotempty(AssignedRoles) and AssignedRoles != "[]"
| project AccountUPN, AssignedRoles;
AuditLogs
| where TimeGenerated > ago(30d)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| where Initiator in~ (SyncAccounts | project SyncUpn)
| mv-expand TargetResources
| extend TargetUpn = tostring(TargetResources.userPrincipalName)
| join kind=leftouter (PrivilegedUsers) on $left.TargetUpn == $right.AccountUPN
| extend TargetIsPrivileged = isnotempty(AssignedRoles)
| project TimeGenerated, Initiator, OperationName, Category, TargetUpn,
TargetIsPrivileged, AssignedRoles, Result,
ModifiedProperties = tostring(TargetResources.modifiedProperties)
| where TargetIsPrivileged
or OperationName has_any ("Reset password","Update user","Add member","Set Password")
| order by TargetIsPrivileged desc, TimeGenerated desc
Explanation
This query is designed to monitor and analyze activities performed by Entra Connector accounts over the past 30 days, focusing on potential security threats. Here's a simplified breakdown:
-
Purpose: The query aims to detect suspicious activities, such as account takeovers, by examining audit logs for actions like updating users, resetting passwords, and modifying group memberships. These actions are often associated with abuse of synchronization accounts.
-
Data Sources: It uses data from Azure Active Directory's audit logs and identity information to enrich the analysis with role assignments.
-
Key Components:
- SyncAccounts: Identifies synchronization accounts by checking for specific roles or account names starting with "Sync_".
- PrivilegedUsers: Identifies users with assigned roles, indicating they have elevated privileges.
-
Process:
- The query looks at audit logs from the last 30 days.
- It checks if the actions were initiated by synchronization accounts.
- It expands the target resources to analyze each action's target.
- It joins this data with privileged user information to determine if the target has elevated roles.
- It filters the results to highlight actions targeting privileged accounts or involving sensitive operations like password resets or user updates.
-
Output: The results are sorted to prioritize actions involving privileged accounts, providing details like the time of the action, the initiator, the operation performed, and whether the target account is privileged.
Overall, this query helps identify potential security risks by highlighting unusual or unauthorized activities targeting sensitive accounts.
Details
David Alonso
Released: June 1, 2026
Tables
Keywords
Operators