Successful sign-ins from valid AAD connector account outside of whitelisted IP address from WatchList
AAD Connect Sign Ins Outside Server IP
Query
let AADCServer = (_GetWatchlist('HighValueAssets')
| where ['Tags'] == "Azure AD Connect" | project ['IP Address']);
let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
| where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
// AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
| where (UserId in (AADConnectorAcc) or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8" or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1") and IPAddress !in (AADCServer)
| where ResultType == "0"
| project TimeGenerated,Category,UserPrincipalName, AppDisplayName, AppId, IPAddress, RiskState
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalNameExplanation
This query detects successful sign-ins from a valid Azure Active Directory (AAD) connector account outside of a whitelisted IP address. It uses two watchlists, "Service Accounts" and "High Value Assets", to identify the AAD connector account and the whitelisted IP address. The query covers sign-ins to AAD Connect Endpoints (Azure AD Sync and AAD Connect V2) and checks if they match the watchlist. The query frequency is once per day, and the severity is medium. The relevant techniques include Credential Access, Privilege Escalation, and Initial Access. The query retrieves specific fields from the sign-in logs and maps them to account and IP entities.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d