Unusual Sensitive Action Performed By Azure AD Connect Account
Query
let SensitiveActions = dynamic(["Update service principal","Add service principal credentials","Add owner to service principal","Add delegated permission grant"]);
AuditLogs
| extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| where InitiatedByUPN startswith "Sync_" and InitiatedByUPN endswith "onmicrosoft.com"
| where OperationName in~ (SensitiveActions)
| mv-expand TargetResources
| where TargetResources.type == "ServicePrincipal"
| extend TargetResourcesname = TargetResources.name
| extend TargetResourcesId = TargetResources.id
| extend InitiatedByIpAddress = parse_json(tostring(InitiatedBy.user)).ipAddressExplanation
This query is designed to detect unusual sensitive actions performed by an Azure AD Connect account. It looks for specific actions such as updating service principals, adding credentials, adding owners, and granting delegated permissions. The query filters for actions initiated by an account with a specific naming convention and checks if the target resource is a service principal. It also captures additional information such as the user's IP address. If any of these actions are detected, it will create an incident with high severity and immediate action is recommended. The query runs every 30 minutes and looks back at the past 30 minutes of audit logs. The incident grouping is based on the account involved in the action.
Details

Fabian Bader
Released: July 23, 2023
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 30m
Period: 30m