Query Details

Detection of Microsoft Entra Connect accounts outside of WatchLists

AAD Connector Account Outside Of Watch List

Query

// Query all users that habe the "Directory Synchronization Accounts" role assigned
let DirSyncRoleAssignedMembers = (IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | where AssignedRoles has "Directory Synchronization Accounts"
    | summarize by AccountObjectId);
// Query all users that have signed in to the AADSync API
let DirSyncNamedUsers = (union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
    | where TimeGenerated > ago(1d)
    // AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
    | where (UserPrincipalName startswith "sync_" and UserPrincipalName endswith "onmicrosoft.com")
        or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8"
        or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1"
    | summarize by AccountObjectId = UserId);
// Query all explicitly tagged Microsoft Entra Connect / Azure AD Connect account in the watchlist ServiceAccounts
let WatchList = _GetWatchlist('ServiceAccounts')
    | where ['Tags'] has "Azure AD Connect"
    | project AccountObjectId = ['Service AAD Object Id'];
// Combine the two lists and remove all known accounts
// All resulting accounts are not possibly not allowed to use this API or have the role assigned
union isfuzzy=true DirSyncRoleAssignedMembers, DirSyncNamedUsers
| summarize by AccountObjectId
| where AccountObjectId !in (WatchList)
| join kind=leftouter (IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    )
    on AccountObjectId
| project-away *1, TimeGenerated

Explanation

This query is designed to detect Microsoft Entra Connect accounts that are not stored in the WatchList. It looks for objects with Directory role membership to "Directory Synchronization" or naming similar to Microsoft Entra Connect account. The query frequency is once a day and the query period is 14 days. The severity of this detection is medium. The query combines two lists of users and removes known accounts, resulting in a list of potentially unauthorized accounts. The query does not have suppression enabled and is configured to create an incident. The incident grouping configuration is disabled and the lookback duration is 5 minutes. The event grouping settings aggregate alerts into a single alert. The query maps certain fields to account entities and the suppression duration is 1 hour.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: September 21, 2023

Tables

IdentityInfoAADNonInteractiveUserSignInLogsSigninLogsServiceAccounts

Keywords

DevicesIntuneUserDirectory SynchronizationMicrosoft Entra ConnectWatchListAADSync APIAADNonInteractiveUserSignInLogsSigninLogssync_onmicrosoft.comcb1056e2-e479-49de-ae31-7812af012ed86eb59a73-39b2-4c23-a70f-e2e3ce8965b1ServiceAccountsAzure AD ConnectAccountUPNAccountObjectIdAccountDisplayName

Operators

wheresummarizearg_maxbyunionisfuzzystartswithendswithorprojectjoinkind=leftouterinproject-away

Severity

Medium

Tactics

PersistencePrivilegeEscalationInitialAccessDefenseEvasion

MITRE Techniques

Frequency: 1d

Period: 14d

Actions

GitHub