Unusual Sensitive Action Performed By Azure AD Connect Account UEBA

id: 23fd3ffc-3d2f-4415-89ad-ce2b6450a5c3 name: Unusual sensitive action performed by Azure AD Connect account (UEBA) version: 1.0.1 kind: Scheduled description: The Azure AD Connect account is performing different sensitive actions that must not be done by this account. This is a sign of compromise for this accounts and should result in immediate action. severity: High queryFrequency: 1h queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - LateralMovement - Persistence - PrivilegeEscalation relevantTechniques: - T1550 - T0859 - T1098 - T1078 - T0859 - T1078 - T0890 query: |- let DirectorySyncAdmins = (IdentityInfo | where TimeGenerated > ago(14d) | where AssignedRoles contains "Directory Synchronization Accounts" | distinct AccountUPN); let SensitiveActions = dynamic(["Update service principal", "Add service principal credentials", "Add owner to service principal", "Add delegated permission grant"]); AuditLogs | where ingestion_time() > ago(70m) | extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName | where InitiatedByUPN in~ ( DirectorySyncAdmins ) | where OperationName in~ (SensitiveActions) | mv-expand TargetResources | where TargetResources.type == "ServicePrincipal" | extend TargetResourcesname = TargetResources.name | extend TargetResourcesId = TargetResources.id | extend InitiatedByIpAddress = parse_json(tostring(InitiatedBy.user)).ipAddress suppressionDuration: 5h incidentConfiguration: createIncident: true groupingConfiguration: matchingMethod: Selected reopenClosedIncident: false groupByCustomDetails: [] groupByEntities: - Account groupByAlertDetails: [] lookbackDuration: 1h enabled: true eventGroupingSettings: aggregationKind: AlertPerResult customDetails: Activity: OperationName entityMappings: - entityType: Account fieldMappings: - columnName: InitiatedByUPN identifier: FullName - entityType: CloudApplication fieldMappings: - columnName: TargetResourcesId identifier: AppId - entityType: IP fieldMappings: - columnName: InitiatedByIpAddress identifier: Address - entityType: CloudApplication fieldMappings: - columnName: TargetResourcesname identifier: Name suppressionEnabled: false

Explanation

This query is designed to detect unusual sensitive actions performed by an Azure AD Connect account. It looks for actions such as updating service principals, adding credentials to service principals, adding owners to service principals, and granting delegated permissions. The query checks for these actions within the past 70 minutes and compares them to a list of directory synchronization admins. If any of the sensitive actions are performed by one of these admins, an incident is created. The query also includes mappings for grouping the incidents by account, cloud application, and IP address. The incident grouping is based on the account initiating the action. The query runs every hour and has a query period of 14 days. The severity of this detection is high, indicating that immediate action should be taken if any unusual sensitive actions are detected.

Details

Fabian Bader

Released: August 13, 2023

Tables

AuditLogs

Keywords

AzureADConnect,SensitiveActions,DirectorySyncAdmins,AuditLogs,InitiatedByUPN,OperationName,TargetResources,InitiatedByIpAddress

Operators

KQL Search