HUNT-10 Rare ProvisioningAction / TargetSystem / ResultSignature (30d)
HUNT 10 AAD Prov Rare Operations 30d
Query
let TotalEvents = toscalar(
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| count
);
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize Events = count() by ProvisioningAction, TgtSystem, ResultSignature, OperationName, SPName
| extend Share = round(100.0 * Events / TotalEvents, 4)
| where Share <= 0.05 // <= 0.05% of telemetry
| order by Events ascExplanation
This query is designed to identify rare or unusual patterns in Azure Active Directory provisioning logs over the past 30 days. It focuses on specific fields: ProvisioningAction, TargetSystem, ResultSignature, and OperationName. The query calculates the total number of events and then determines the frequency of each unique combination of these fields. It highlights combinations that make up a very small percentage (0.05% or less) of the total events, which could indicate unusual or potentially suspicious activity. This approach is useful for detecting anomalies that might not be captured by predefined rules. The results are sorted in ascending order based on the number of events, making it easier to triage and investigate these rare occurrences.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
LowTactics
MITRE Techniques