Detect-Not-Active-AD-User-Accounts

Hunt Hypothesis

Inactive Active Directory service accounts with last logon dates exceeding 14 days may indicate dormant or abandoned accounts that could be exploited by adversaries to maintain persistence or escalate privileges. Proactively hunting for such accounts in Azure Sentinel helps identify potential attack vectors and reduce the attack surface within the environment.

KQL Query

IdentityLogonEvents 
| project Timestamp, AccountName, DeviceName, LogonType
| where AccountName startswith "XXX" 
| summarize LastLogon = max(Timestamp) by AccountName, LogonType, DeviceName
| where LastLogon < ago(14d)

Analytic Rule Definition

id: 9131b716-334f-416e-a50f-809927d63b42
name: Detect-Not-Active-AD-User-Accounts
description: |
  // Detect Active Directory service accounts that are not active because their last logon was more than 14 days ago
  // Replace XXX on line 4 with the naming convention start of your Active Directory service accounts
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - IdentityLogonEvents
query: |
  IdentityLogonEvents 
  | project Timestamp, AccountName, DeviceName, LogonType
  | where AccountName startswith "XXX" 
  | summarize LastLogon = max(Timestamp) by AccountName, LogonType, DeviceName
  | where LastLogon < ago(14d)

Required Data Sources

Sentinel Table	Notes
`IdentityLogonEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Discovery/Detect-Not-Active-AD-User-Accounts.yaml)

False Positive Guidance

Scenario: Scheduled Job Logon
Description: A service account used by a scheduled job (e.g., SQL Server Agent, Windows Task Scheduler) logs on once every 14 days to perform maintenance tasks.
Filter/Exclusion: Exclude accounts that are part of the SQL Server Agent or Windows Task Scheduler service groups, or use a filter like accountName in ("SQLAgent", "TaskScheduler").
Scenario: Backup Job Logon
Description: A backup tool (e.g., Veeam, Commvault) logs on to a domain controller to perform backups, which may occur once every 14 days.
Filter/Exclusion: Exclude accounts associated with backup tools using a filter like accountName in ("VeeamBackup", "Commvault") or check for the presence of backup-related processes in the event logs.
Scenario: Admin Task Execution
Description: An admin account (e.g., AdminUser) is used to run a one-time administrative task (e.g., group policy update, registry modification) and logs on once every 14 days.
Filter/Exclusion: Exclude accounts that are marked as admin accounts or use a filter like accountName in ("AdminUser", "DomainAdmins") or check for the presence of administrative tools (e.g., gpupdate, regedit).
Scenario: Certificate Renewal Service
Description: A certificate renewal service (e.g., certsrv or third-party tool) logs on to renew expired certificates, which may occur once every 14 days.
Filter/Exclusion: Exclude accounts associated with certificate services using a filter like accountName in ("CertRenewal", "certsrv") or check for the presence of certificate-related processes (e.g., certutil).
**