Suspicious Sign In by Entra ID Connect Sync Account

BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]

relevantTechniques:
- T1078.004
entityMappings:
- fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationDevice
    identifier: HostName
  entityType: Host
version: 1.0.3
triggerThreshold: 0
description: |
  'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.
  This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
  A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be 
  reviewed to ensure that the log in came was from a legitimate source.'  
metadata:
  author:
    name: Microsoft Security Community
  source:
    kind: Community
  categories:
    domains:
    - Identity
    - Security - Threat Protection
  support:
    tier: Community
requiredDataConnectors:
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}
  alertDescriptionFormat: |
    This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.
    This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
    A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be 
    reviewed to ensure that the log in came was from a legitimate source.
    In this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.    
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml
id: 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
queryFrequency: 1h
query: |
  BehaviorAnalytics
  // User modification is expected from this account so focus on logons
  | where ActivityType =~ "LogOn"
  | where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
  // Filter out this expected activity
  | where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
  | where InvestigationPriority > 0
  | extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]  
severity: Medium
status: Available
queryPeriod: 1h
name: Suspicious Sign In by Entra ID Connect Sync Account
tactics:
- InitialAccess
kind: Scheduled