KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious Directory Sync Account Sign Ins

Query

//This query detects suspicious sign-ins to on-premises directory sync account
//Directory sync account has special permissions and cannot perform MFA
//Activity outside baseline warrants investigation
let starttime = 14d;
let endtime = 1d;
let threshold = 400;
let historicalActivity =
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated between(ago(starttime)..ago(endtime))
| where UserDisplayName == "On-Premises Directory Synchronization Service Account" or UserPrincipalName startswith "sync_"
| summarize historicalCount = count() by IPAddress;
union SigninLogs, AADNonInteractiveUserSignInLogs
| where UserDisplayName == "On-Premises Directory Synchronization Service Account" or UserPrincipalName startswith "sync_"
| where TimeGenerated >= ago(endtime) 
| join kind= leftouter (historicalActivity) on IPAddress
|where historicalCount < threshold or isempty(historicalCount)

Explanation

This query is designed to identify potentially suspicious sign-in activities related to an on-premises directory synchronization account, which has special permissions and cannot use multi-factor authentication (MFA). Here's a simplified breakdown of what the query does:

  1. Time Frame Definition: It looks at sign-in activities over the past 14 days, excluding the last day (from 14 days ago to 1 day ago).

  2. Historical Activity Collection: It gathers historical sign-in data for the directory sync account from two log sources (SigninLogs and AADNonInteractiveUserSignInLogs). It focuses on entries where the user is identified as the "On-Premises Directory Synchronization Service Account" or has a username starting with "sync_". It counts the number of sign-ins from each IP address during this period.

  3. Threshold Setting: An IP address is considered suspicious if it has fewer than 400 sign-ins in the historical data.

  4. Current Activity Analysis: It then examines sign-ins from the last day (the most recent day) for the same account and IP addresses.

  5. Suspicious Activity Detection: The query identifies current sign-ins from IP addresses that either have a historical count below the threshold of 400 or have no historical sign-ins at all. These activities are flagged for further investigation as they deviate from the established baseline.

In essence, the query helps detect unusual sign-in patterns for a sensitive account by comparing current activities against historical norms.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsUserDisplayNameUserPrincipalNameIPAddressTimeGeneratedHistoricalActivity

Operators

letunionwherebetweenstartswithsummarizecountbyjoinkindonorand>=agoisempty

Actions