HUNT-04 Entra Connector Activities Enriched with IdentityInfo (30d)
HUNT 04 AAD Prov Sync Account Activities 30d
Query
let SyncAccounts =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (
"Directory Synchronization Accounts",
"On Premises Directory Sync Account"
)
or AccountUPN startswith "Sync_"
| project SyncUpn = AccountUPN, SyncObjectId = AccountObjectId;
let PrivilegedUsers =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where isnotempty(AssignedRoles) and AssignedRoles != "[]"
| project AccountUPN, AssignedRoles;
AuditLogs
| where TimeGenerated > ago(30d)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| where Initiator in~ (SyncAccounts | project SyncUpn)
| mv-expand TargetResources
| extend TargetUpn = tostring(TargetResources.userPrincipalName)
| join kind=leftouter (PrivilegedUsers) on $left.TargetUpn == $right.AccountUPN
| extend TargetIsPrivileged = isnotempty(AssignedRoles)
| project TimeGenerated, Initiator, OperationName, Category, TargetUpn,
TargetIsPrivileged, AssignedRoles, Result,
ModifiedProperties = tostring(TargetResources.modifiedProperties)
| where TargetIsPrivileged
or OperationName has_any ("Reset password","Update user","Add member","Set Password")
| order by TargetIsPrivileged desc, TimeGenerated descExplanation
This query is designed to monitor and analyze activities performed by Entra Connector accounts over the past 30 days, focusing on potential security threats. Here's a simplified breakdown:
-
Purpose: The query aims to detect suspicious activities, such as account takeovers, by examining audit logs for actions like updating users, resetting passwords, and modifying group memberships. These actions are often associated with abuse of synchronization accounts.
-
Data Sources: It uses data from Azure Active Directory's audit logs and identity information to enrich the analysis with role assignments.
-
Key Components:
- SyncAccounts: Identifies synchronization accounts by checking for specific roles or account names starting with "Sync_".
- PrivilegedUsers: Identifies users with assigned roles, indicating they have elevated privileges.
-
Process:
- The query looks at audit logs from the last 30 days.
- It checks if the actions were initiated by synchronization accounts.
- It expands the target resources to analyze each action's target.
- It joins this data with privileged user information to determine if the target has elevated roles.
- It filters the results to highlight actions targeting privileged accounts or involving sensitive operations like password resets or user updates.
-
Output: The results are sorted to prioritize actions involving privileged accounts, providing details like the time of the action, the initiator, the operation performed, and whether the target account is privileged.
Overall, this query helps identify potential security risks by highlighting unusual or unauthorized activities targeting sensitive accounts.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques