Query Details
HUNT 12 AAD Prov Consent Grant After Provisioning
Query
id: aa1f000c-200c-420c-920c-aadprov-hunt12
name: HUNT-12 Provisioning Operation Followed by Consent Grant (24h)
description: |
Correlates provisioning activity from a ServicePrincipal with subsequent
delegated/admin consent grants on the same SP within 24 hours. The chain
"rogue SP provisions accounts" -> "rogue SP receives broader consent" is a
documented escalation: attacker first writes objects through limited scope,
then escalates scope via consent to keep the persistent footprint.
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADProvisioningLogs
- AuditLogs
tactics:
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1098
- T1078.004
query: |
let ProvisioningSPs =
AADProvisioningLogs
| where TimeGenerated > ago(7d)
| extend SPId = tostring(parse_json(ServicePrincipal).Id),
SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize ProvisioningEvents = count(),
FirstProvisioningSeen = min(TimeGenerated)
by SPId, SPName;
let ConsentEvents =
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
"Consent to application",
"Add delegated permission grant",
"Add app role assignment grant to user",
"Add app role assignment to service principal"
)
| mv-expand TargetResources
| extend TargetSPId = tostring(TargetResources.id),
TargetSPName = tostring(TargetResources.displayName),
Actor = coalesce(tostring(InitiatedBy.user.userPrincipalName),
tostring(InitiatedBy.app.displayName))
| project ConsentTime = TimeGenerated, TargetSPId, TargetSPName, Actor, OperationName;
ProvisioningSPs
| join kind=inner (ConsentEvents) on $left.SPId == $right.TargetSPId
| where ConsentTime between (FirstProvisioningSeen .. FirstProvisioningSeen + 1d)
| project SPName, SPId, FirstProvisioningSeen, ConsentTime, Actor, OperationName, ProvisioningEvents
| order by ConsentTime desc
Explanation
This query is designed to detect potentially malicious activities involving service principals (SPs) in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query identifies service principals that have been involved in provisioning activities followed by consent grants within a 24-hour period. This pattern can indicate a security threat where an attacker first creates or modifies accounts with limited permissions and then escalates their privileges by obtaining broader consent.
-
Severity: The alert generated by this query is considered high severity due to the potential for privilege escalation and persistence by an attacker.
-
Data Sources: The query uses data from Azure Active Directory, specifically:
- AADProvisioningLogs: Logs related to provisioning activities.
- AuditLogs: Logs that include consent-related activities.
-
Steps in the Query:
- ProvisioningSPs: This part of the query collects service principals that have been involved in provisioning activities over the past 7 days, summarizing the number of events and the first time such an event was seen.
- ConsentEvents: This part gathers consent-related activities from the audit logs over the same 7-day period, focusing on operations that grant permissions or roles to applications or users.
- Correlation: The query then joins these two datasets to find cases where a service principal involved in provisioning activities also received consent grants within 24 hours of the first provisioning event.
- Output: The result includes details like the service principal's name and ID, the times of provisioning and consent activities, the actor involved, and the type of consent operation, sorted by the most recent consent time.
-
Security Implication: This query helps in identifying a potential attack pattern where an attacker might be trying to establish a persistent and escalated presence within the Azure environment by first provisioning accounts and then expanding their access through consent grants.
Details
David Alonso
Released: June 1, 2026
Tables
Keywords
Operators