Suspicious Sign In by Entra ID Connect Sync Account
| Id | 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6 |
| Rulename | Suspicious Sign In by Entra ID Connect Sync Account |
| Description | This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous. This query uses Microsoft Sentinel’s UEBA features to detect these suspicious properties. A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be reviewed to ensure that the log in came was from a legitimate source. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1078.004 |
| Required data connectors | BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml |
| Version | 1.0.3 |
| Arm template | 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6.json |
BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml
relevantTechniques:
- T1078.004
entityMappings:
- fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: SourceIPAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationDevice
identifier: HostName
entityType: Host
name: Suspicious Sign In by Entra ID Connect Sync Account
query: |
BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
version: 1.0.3
metadata:
author:
name: Microsoft Security Community
categories:
domains:
- Identity
- Security - Threat Protection
source:
kind: Community
support:
tier: Community
description: |
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.
This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be
reviewed to ensure that the log in came was from a legitimate source.'
id: 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
kind: Scheduled
queryFrequency: 1h
triggerThreshold: 0
status: Available
triggerOperator: gt
queryPeriod: 1h
alertDetailsOverride:
alertDisplayNameFormat: Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}
alertDescriptionFormat: |
This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.
This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be
reviewed to ensure that the log in came was from a legitimate source.
In this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.
requiredDataConnectors:
- dataTypes:
- BehaviorAnalytics
connectorId: BehaviorAnalytics
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \nreviewed to ensure that the log in came was from a legitimate source.\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\n",
"alertDisplayNameFormat": "Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}"
},
"alertRuleTemplateName": "2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6",
"customDetails": null,
"description": "'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \nreviewed to ensure that the log in came was from a legitimate source.'\n",
"displayName": "Suspicious Sign In by Entra ID Connect Sync Account",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DestinationDevice",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml",
"query": "BehaviorAnalytics\n// User modification is expected from this account so focus on logons\n| where ActivityType =~ \"LogOn\"\n| where UserName startswith \"Sync_\" and UsersInsights.AccountDisplayName =~ \"On-Premises Directory Synchronization Service Account\"\n// Filter out this expected activity\n| where ActivityInsights.App !~ \"Microsoft Azure Active Directory Connect\"\n| where InvestigationPriority > 0\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}