Accounts created from non-approved domains may indicate adversary attempts to establish persistent access by creating compromised or malicious accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
let core_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| extend domain = tolower(split(UserPrincipalName, "@")[1])
| summarize by tostring(domain));
let alternative_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where isnotempty(AlternateSignInName)
| where ResultType == 0
| extend domain = tolower(split(AlternateSignInName, "@")[1])
| summarize by tostring(domain));
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Add User"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend UserAdded = tostring(TargetResources[0].userPrincipalName)
| extend UserAddedDomain = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]),
UserAdded)
| where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)
| extend AddedByName = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]),
InitiatingUserPrincipalName)
| extend AddedByUPNSuffix = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]),
InitiatingUserPrincipalName)
| extend UserAddedName = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]),
UserAdded)
id: 99d589fa-7337-40d7-91a0-c96d0c4fa437
name: Account created from non-approved sources
description: |
'This query looks for an account being created from a domain that is not regularly seen in a tenant.
Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.
Created accounts should be investigated to confirm expected creation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- AuditLogs
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136.003
tags:
- AADSecOpsGuide
query: |
let core_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| extend domain = tolower(split(UserPrincipalName, "@")[1])
| summarize by tostring(domain));
let alternative_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where isnotempty(AlternateSignInName)
| where ResultType == 0
| extend domain = tolower(split(AlternateSignInName, "@")[1])
| summarize by tostring(domain));
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Add User"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend UserAdded = tostring(TargetResources[0].userPrincipalName)
| extend UserAddedDomain = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]),
UserAdded)
| where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)
| extend AddedByName = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]),
InitiatingUserPrincipalName)
| extend AddedByUPNSuffix = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]),
InitiatingUserPrincipalName)
| extend UserAddedName = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]),
Use| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Maintenance
Description: A system maintenance job runs nightly and creates temporary service accounts from a non-approved domain.
Filter/Exclusion: Exclude accounts created by the Windows Task Scheduler with the job name SystemMaintenanceJob or by the PowerShell script C:\scripts\maintenance.ps1.
Scenario: Admin Task for User Provisioning
Description: An admin uses the Azure AD PowerShell module to create a new user account from a non-approved domain during a bulk provisioning task.
Filter/Exclusion: Exclude account creation events where the userPrincipalName is manually assigned and the createdBy field matches the admin’s service principal (e.g., [email protected]).
Scenario: Third-Party Tool Integration
Description: A third-party identity management tool (e.g., Okta) is configured to create user accounts from a non-approved domain as part of a sync process.
Filter/Exclusion: Exclude account creation events where the sourceSystem field indicates the tool (e.g., Okta or PingIdentity) and the syncJobName is known (e.g., DailyUserSync).
Scenario: Legacy System Migration
Description: A legacy system is being migrated, and temporary accounts are created from a non-approved domain to facilitate the migration process.
Filter/Exclusion: Exclude accounts created by the migration tool (e.g., Microsoft Azure Migrate) or by the migration script (e.g., C:\scripts\migration_tool.bat).
Scenario: Internal Development Environment
Description: A developer creates a test account from a non-approved domain to simulate a production environment for testing.
Filter/Exclusion: Exclude account creation events where the **userPrincipalName