Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious Sign In by Entra ID Connect Sync Account

Back
Id2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
RulenameSuspicious Sign In by Entra ID Connect Sync Account
DescriptionThis query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.

This query uses Microsoft Sentinel’s UEBA features to detect these suspicious properties.

A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be

reviewed to ensure that the log in came was from a legitimate source.
SeverityMedium
TacticsInitialAccess
TechniquesT1078.004
Required data connectorsBehaviorAnalytics
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml
Version1.0.3
Arm template2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6.json
Deploy To Azure
BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
alertDetailsOverride:
  alertDisplayNameFormat: Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}
  alertDescriptionFormat: |
    This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.
    This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
    A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be 
    reviewed to ensure that the log in came was from a legitimate source.
    In this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.    
status: Available
triggerThreshold: 0
relevantTechniques:
- T1078.004
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Identity
    - Security - Threat Protection
  author:
    name: Microsoft Security Community
  source:
    kind: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml
requiredDataConnectors:
- dataTypes:
  - BehaviorAnalytics
  connectorId: BehaviorAnalytics
queryPeriod: 1h
tactics:
- InitialAccess
severity: Medium
triggerOperator: gt
description: |
  'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.
  This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
  A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be 
  reviewed to ensure that the log in came was from a legitimate source.'  
query: |
  BehaviorAnalytics
  // User modification is expected from this account so focus on logons
  | where ActivityType =~ "LogOn"
  | where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
  // Filter out this expected activity
  | where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
  | where InvestigationPriority > 0
  | extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]  
name: Suspicious Sign In by Entra ID Connect Sync Account
version: 1.0.3
kind: Scheduled
id: 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SourceIPAddress
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: DestinationDevice
    identifier: HostName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \nreviewed to ensure that the log in came was from a legitimate source.\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\n",
          "alertDisplayNameFormat": "Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}"
        },
        "alertRuleTemplateName": "2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6",
        "customDetails": null,
        "description": "'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \nreviewed to ensure that the log in came was from a legitimate source.'\n",
        "displayName": "Suspicious Sign In by Entra ID Connect Sync Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationDevice",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml",
        "query": "BehaviorAnalytics\n// User modification is expected from this account so focus on logons\n| where ActivityType =~ \"LogOn\"\n| where UserName startswith \"Sync_\" and UsersInsights.AccountDisplayName =~ \"On-Premises Directory Synchronization Service Account\"\n// Filter out this expected activity\n| where ActivityInsights.App !~ \"Microsoft Azure Active Directory Connect\"\n| where InvestigationPriority > 0\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}