KQL Search

Query Details

HomeAI ToolsDevice Query

Potential Malicious Sign In From Azure AD Connect Account

Query

id: c8fac852-f10c-4962-b0fb-11722e8c9bb8
name: Potential malicious sign-in from Azure AD Connect account
version: 1.0.0
kind: Scheduled
description: The Azure AD Connect account is accessing an ressource that it must not access. This is a high-fidelity sign of malicious actions.
severity: High
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - LateralMovement
relevantTechniques:
  - T0859
query: "union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs\r\n| where UserPrincipalName startswith \"Sync_\" and UserPrincipalName endswith \"onmicrosoft.com\"\r\n// Only alert when AppId != Microsoft Azure Active Directory Connect and the ressource is not AAD \r\n| where AppId != \"cb1056e2-e479-49de-ae31-7812af012ed8\" and ResourceDisplayName != \"Windows Azure Active Directory\""
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities:
      - Account
    groupByAlertDetails: []
    lookbackDuration: 1h
    enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - columnName: AppId
        identifier: AppId
  - entityType: CloudApplication
    fieldMappings:
      - columnName: AppDisplayName
        identifier: Name
  - entityType: IP
    fieldMappings:
      - columnName: IPAddress
        identifier: Address
  - entityType: Account
    fieldMappings:
      - columnName: UserPrincipalName
        identifier: FullName
  - entityType: Account
    fieldMappings:
      - columnName: UserId
        identifier: AadUserId
suppressionEnabled: false

Explanation

This query is designed to detect potential malicious sign-ins from an Azure AD Connect account. It checks for sign-in logs and non-interactive user sign-in logs where the user principal name starts with "Sync_" and ends with "onmicrosoft.com". The query filters out sign-ins with a specific AppId and a resource display name of "Windows Azure Active Directory". If any potential malicious sign-ins are found, an incident will be created and grouped by the account associated with the sign-in. The query runs every 30 minutes and has a suppression duration of 5 hours.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 23, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

Devices,Intune,User,AzureADConnect,SigninLogs,AADNonInteractiveUserSignInLogs,AppId,ResourceDisplayName,CloudApplication,IP,Account

Operators

unionisfuzzytrueSigninLogsAADNonInteractiveUserSignInLogswherestartswithendswith|!=andResourceDisplayNamesuppressionDurationcreateIncidentgroupingConfigurationmatchingMethodreopenClosedIncidentgroupByCustomDetailsgroupByEntitiesgroupByAlertDetailslookbackDurationenabledeventGroupingSettingsaggregationKindAlertPerResultentityTypeCloudApplicationfieldMappingscolumnNameidentifierIPAccountUserPrincipalNameFullNameUserIdAadUserIdsuppressionEnabled

Actions