Query Details

HUNT-10 Rare ProvisioningAction / TargetSystem / ResultSignature (30d)

HUNT 10 AAD Prov Rare Operations 30d

Query

let TotalEvents = toscalar(
    AADProvisioningLogs
    | where TimeGenerated > ago(30d)
    | count
);
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| extend TgtSystem = tostring(parse_json(TargetSystem).DisplayName),
         SPName    = tostring(parse_json(ServicePrincipal).Name)
| summarize Events = count() by ProvisioningAction, TgtSystem, ResultSignature, OperationName, SPName
| extend Share = round(100.0 * Events / TotalEvents, 4)
| where Share <= 0.05  // <= 0.05% of telemetry
| order by Events asc

Explanation

This query is designed to identify rare or unusual patterns in Azure Active Directory provisioning logs over the past 30 days. It focuses on specific fields: ProvisioningAction, TargetSystem, ResultSignature, and OperationName. The query calculates the total number of events and then determines the frequency of each unique combination of these fields. It highlights combinations that make up a very small percentage (0.05% or less) of the total events, which could indicate unusual or potentially suspicious activity. This approach is useful for detecting anomalies that might not be captured by predefined rules. The results are sorted in ascending order based on the number of events, making it easier to triage and investigate these rare occurrences.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ProvisioningActionTargetSystemResultSignatureOperationNameServicePrincipalAzureActiveDirectoryAADProvisioningLogsTimeGeneratedEventsShareTelemetry

Operators

lettoscalarwhereagocountextendtostringparse_jsonsummarizebyroundorder by

Severity

Low

Tactics

DefenseEvasion

MITRE Techniques

Actions

GitHub