Unusual Sensitive Action Performed By Azure AD Connect Account UEBA
Query
let DirectorySyncAdmins = (IdentityInfo
| where TimeGenerated > ago(14d)
| where AssignedRoles contains "Directory Synchronization Accounts"
| distinct AccountUPN);
let SensitiveActions = dynamic(["Update service principal", "Add service principal credentials", "Add owner to service principal", "Add delegated permission grant"]);
AuditLogs
| where ingestion_time() > ago(70m)
| extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| where InitiatedByUPN in~ ( DirectorySyncAdmins )
| where OperationName in~ (SensitiveActions)
| mv-expand TargetResources
| where TargetResources.type == "ServicePrincipal"
| extend TargetResourcesname = TargetResources.name
| extend TargetResourcesId = TargetResources.id
| extend InitiatedByIpAddress = parse_json(tostring(InitiatedBy.user)).ipAddressExplanation
This query is designed to detect unusual sensitive actions performed by an Azure AD Connect account. It looks for actions such as updating service principals, adding credentials to service principals, adding owners to service principals, and granting delegated permissions. The query checks for these actions within the past 70 minutes and compares them to a list of directory synchronization admins. If any of the sensitive actions are performed by one of these admins, an incident is created. The query also includes mappings for grouping the incidents by account, cloud application, and IP address. The incident grouping is based on the account initiating the action. The query runs every hour and has a query period of 14 days. The severity of this detection is high, indicating that immediate action should be taken if any unusual sensitive actions are detected.
Details

Fabian Bader
Released: August 13, 2023
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d