KQL Search

Query Details

HUNT 10 AAD Prov Rare Operations 30d

Query

id: aa1f000a-200a-420a-920a-aadprov-hunt10
name: HUNT-10 Rare ProvisioningAction / TargetSystem / ResultSignature (30d)
description: |
  Surfaces rare values across `ProvisioningAction`, `TargetSystem`,
  `ResultSignature`, and `OperationName` over 30 days - useful for ad-hoc
  discovery of unusual telemetry patterns that no static rule would catch.
  Stack-counting style: anything with a tiny share is shown for triage.
severity: Low
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1078
query: |
  let TotalEvents = toscalar(
      AADProvisioningLogs
      | where TimeGenerated > ago(30d)
      | count
  );
  AADProvisioningLogs
  | where TimeGenerated > ago(30d)
  | extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
           SPName    = tostring(parse_json(ServicePrincipal).Name)
  | summarize Events = count() by ProvisioningAction, TgtSystem, ResultSignature, OperationName, SPName
  | extend Share = round(100.0 * Events / TotalEvents, 4)
  | where Share <= 0.05  // <= 0.05% of telemetry
  | order by Events asc

Explanation

This query is designed to identify unusual patterns in Azure Active Directory provisioning logs over the past 30 days. It focuses on finding rare occurrences of specific actions, target systems, result signatures, and operation names that might indicate unusual or suspicious activity.

Here's a simplified breakdown of what the query does:

  1. Data Source: It uses logs from Azure Active Directory provisioning activities.

  2. Time Frame: It looks at data from the last 30 days.

  3. Total Events Calculation: It first calculates the total number of provisioning events in this period.

  4. Data Extraction: It extracts and processes specific fields from the logs, such as the target system's display name and the service principal's name.

  5. Event Summarization: It counts how often each combination of provisioning action, target system, result signature, operation name, and service principal name occurs.

  6. Share Calculation: It calculates the percentage share of each event type relative to the total number of events.

  7. Rare Events Filtering: It filters out common events, keeping only those that make up 0.05% or less of the total events, highlighting rare occurrences.

  8. Sorting: It orders the results by the number of events in ascending order, so the rarest events appear first.

This query is useful for identifying potentially suspicious activities that are not frequent enough to be caught by static rules, aiding in defense evasion detection.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ProvisioningActionTargetSystemResultSignatureOperationNameServicePrincipalAzureActiveDirectoryAADProvisioningLogsTimeGeneratedEventsShareTelemetry

Operators

lettoscalarwhereagocountextendtostringparse_jsonsummarizebyroundorder by

Actions