Query Details

Unusual Sensitive Action Performed By Azure AD Connect Account

Query

let SensitiveActions = dynamic(["Update service principal","Add service principal credentials","Add owner to service principal","Add delegated permission grant"]);
AuditLogs
| extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| where InitiatedByUPN startswith "Sync_" and InitiatedByUPN endswith "onmicrosoft.com"
| where OperationName in~ (SensitiveActions)
| mv-expand TargetResources
| where TargetResources.type == "ServicePrincipal"
| extend TargetResourcesname = TargetResources.name
| extend TargetResourcesId = TargetResources.id
| extend InitiatedByIpAddress = parse_json(tostring(InitiatedBy.user)).ipAddress

Explanation

This query is designed to detect unusual sensitive actions performed by an Azure AD Connect account. It looks for specific actions such as updating service principals, adding credentials, adding owners, and granting delegated permissions. The query filters for actions initiated by an account with a specific naming convention and checks if the target resource is a service principal. It also captures additional information such as the user's IP address. If any of these actions are detected, it will create an incident with high severity and immediate action is recommended. The query runs every 30 minutes and looks back at the past 30 minutes of audit logs. The incident grouping is based on the account involved in the action.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 23, 2023

Tables

AuditLogs

Keywords

Azure AD ConnectSensitive ActionsAccountLateral MovementPersistencePrivilege EscalationT1550T0859T1098T1078T0890Update service principalAdd service principal credentialsAdd owner to service principalAdd delegated permission grantInitiatedByUPNSync_onmicrosoft.comOperationNameTargetResourcesServicePrincipalInitiatedByIpAddress.

Operators

|extendwherein~mv-expand

Severity

High

Tactics

LateralMovementPersistencePrivilegeEscalation

Frequency: 30m

Period: 30m

Actions

GitHub