Suspicious Service Principal creation activity
| Id | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| Rulename | Suspicious Service Principal creation activity |
| Description | This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes) |
| Severity | Low |
| Tactics | CredentialAccess PrivilegeEscalation InitialAccess |
| Techniques | T1078 T1528 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml |
| Version | 1.0.4 |
| Arm template | 6852d9da-8015-4b95-8ecf-d9572ee0395d.json |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
relevantTechniques:
- T1078
- T1528
queryFrequency: 1h
description: |
'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
severity: Low
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: CreatorUserPrincipalName
- identifier: Name
columnName: CreatorName
- identifier: UPNSuffix
columnName: CreatorUPNSuffix
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: DeleterUserPrincipalName
- identifier: Name
columnName: DeleterName
- identifier: UPNSuffix
columnName: DeleterSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: CreatorIPAddress
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DeleterIPAddress
entityType: IP
triggerThreshold: 0
tactics:
- CredentialAccess
- PrivilegeEscalation
- InitialAccess
requiredDataConnectors:
- dataTypes:
- AuditLogs
- AADServicePrincipalSignInLogs
connectorId: AzureActiveDirectory
queryPeriod: 1h10m
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml
query: |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
name: Suspicious Service Principal creation activity
version: 1.0.4
kind: Scheduled
status: Available