KQL Search

Query Details

HUNT 05 AAD Prov Bulk Attribute Change 30d

Query

id: aa1f0005-2005-4205-9205-aadprov-hunt05
name: HUNT-05 Bulk Attribute Changes by Single CycleId (30d)
description: |
  30-day hunt for provisioning cycles that performed unusually high attribute
  churn (touched many distinct properties across many targets in a single
  CycleId). High-churn cycles outside of expected initial-sync windows are
  worth investigating as bulk attribute manipulation.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1098
  - T1556
query: |
  AADProvisioningLogs
  | where TimeGenerated > ago(30d)
  | where ResultType =~ "Success"
  | extend SPName = tostring(parse_json(ServicePrincipal).Name)
  | mv-expand Mod = todynamic(ModifiedProperties)
  | extend PropName = tostring(Mod.displayName)
  | where isnotempty(PropName)
  | summarize
      DistinctProps   = dcount(PropName),
      DistinctTargets = dcount(TargetIdentity),
      Props           = make_set(PropName, 30),
      EventCount      = count(),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated)
    by CycleId, JobId, SPName
  | where DistinctProps >= 5 and DistinctTargets >= 20
  | extend AttributeChurnIntensity = DistinctProps * DistinctTargets
  | order by AttributeChurnIntensity desc

Explanation

This query is designed to identify unusual activity in Azure Active Directory provisioning logs over the past 30 days. Specifically, it looks for provisioning cycles that have made a large number of changes to different attributes (properties) across many targets within a single cycle. Such activity could indicate bulk attribute manipulation, which might be suspicious if it occurs outside of expected initial synchronization periods.

Here's a simplified breakdown of the query:

  1. Data Source: It uses logs from Azure Active Directory, specifically the AADProvisioningLogs.

  2. Time Frame: It examines logs from the last 30 days.

  3. Filter: It only considers successful provisioning events.

  4. Data Processing:

    • It extracts the name of the service principal involved in the provisioning.
    • It expands the list of modified properties for each event.
    • It counts the number of distinct properties and targets affected by each provisioning cycle.

  5. Analysis:

    • It summarizes the data by CycleId, JobId, and Service Principal Name.
    • It calculates the "Attribute Churn Intensity" by multiplying the number of distinct properties by the number of distinct targets.

  6. Criteria for Suspicion:

    • It flags cycles where at least 5 different properties were changed across at least 20 different targets.

  7. Output: The results are ordered by the calculated "Attribute Churn Intensity" in descending order, highlighting the cycles with the most extensive changes.

The query is part of a hunting operation to detect potential persistence or defense evasion tactics, as indicated by the tactics and techniques (T1098 and T1556) associated with it.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

AzureActiveDirectoryAADProvisioningLogsServicePrincipalModifiedPropertiesCycleIdJobIdTargetIdentityTimeGenerated

Operators

whereextendmv-expandsummarizedcountmake_setcountminmaxorder byparse_jsontostringtodynamicisnotemptyago=~

Actions