Suspicious Service Principal creation activity
| Id | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| Rulename | Suspicious Service Principal creation activity |
| Description | This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes) |
| Severity | Low |
| Tactics | CredentialAccess PrivilegeEscalation InitialAccess |
| Techniques | T1078 T1528 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml |
| Version | 1.0.4 |
| Arm template | 6852d9da-8015-4b95-8ecf-d9572ee0395d.json |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
version: 1.0.4
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml
status: Available
description: |
'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
queryFrequency: 1h
name: Suspicious Service Principal creation activity
tactics:
- CredentialAccess
- PrivilegeEscalation
- InitialAccess
triggerThreshold: 0
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
query: |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
severity: Low
queryPeriod: 1h10m
entityMappings:
- fieldMappings:
- columnName: CreatorUserPrincipalName
identifier: FullName
- columnName: CreatorName
identifier: Name
- columnName: CreatorUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: DeleterUserPrincipalName
identifier: FullName
- columnName: DeleterName
identifier: Name
- columnName: DeleterSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CreatorIPAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DeleterIPAddress
identifier: Address
entityType: IP
relevantTechniques:
- T1078
- T1528
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- AADServicePrincipalSignInLogs