What Changed
Enhanced the AccountCreatedandDeletedinShortTimeframe analytic rule with three key improvements: extended query period from 1 day to 7 days, normalized UPN parsing with case-insensitive handling, and switched correlation from mutable UPN to immutable UserId.
Detection Logic
Primary data source: AuditLogs (Entra ID audit events) Core logic: Correlates “Add user” and “Delete user” operations within a 7-day window using immutable UserId as the join key, with normalized UPN extraction handling optional hex prefixes and case variations Entity types mapped: Account, IP
Security Impact
The previous 1-day detection window created a significant blind spot for sophisticated adversaries employing timing-based evasion tactics. Attackers could create temporary accounts for persistence or privilege escalation, then remove them outside the narrow detection timeframe to avoid correlation.
Key improvements:
- Timing Evasion Resistance: 7-day lookback period captures delayed cleanup operations that bypass short detection windows
- Correlation Reliability: UserId-based joining eliminates false negatives caused by UPN mutations (prefix additions, case changes)
- Data Fidelity: Normalized UPN parsing handles Microsoft’s internal identifier variations consistently
This closes a detection gap for T1078 (Valid Accounts) and T1136.003 (Create Account: Cloud Account) techniques where adversaries create temporary privileged accounts for lateral movement or persistence, then clean up evidence through delayed deletion.
MITRE Mapping
- T1078: Valid Accounts - Detection of temporary account abuse patterns
- T1136.003: Create Account: Cloud Account - Rapid creation/deletion cycles for evasion
Affected Files
Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.3.10.zip, ReleaseNotes.md, mainTemplate.json)