Suspicious Service Principal creation activity
| Id | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| Rulename | Suspicious Service Principal creation activity |
| Description | This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes) |
| Severity | Low |
| Tactics | CredentialAccess PrivilegeEscalation InitialAccess |
| Techniques | T1078 T1528 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 70m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml |
| Version | 1.0.3 |
| Arm template | 6852d9da-8015-4b95-8ecf-d9572ee0395d.json |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
tactics:
- CredentialAccess
- PrivilegeEscalation
- InitialAccess
queryPeriod: 70m
triggerThreshold: 0
name: Suspicious Service Principal creation activity
query: |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime
| extend CreatorName = tostring(split(CreatorUserPrincipalName, "@")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, "@")[1])
| extend DeleterName = tostring(split(DeleterUserPrincipalName, "@")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, "@")[1])
severity: Low
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078
- T1528
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- AADServicePrincipalSignInLogs
description: |
'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
status: Available
version: 1.0.3
entityMappings:
- fieldMappings:
- columnName: CreatorUserPrincipalName
identifier: FullName
- columnName: CreatorName
identifier: Name
- columnName: CreatorUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: DeleterUserPrincipalName
identifier: FullName
- columnName: DeleterName
identifier: Name
- columnName: DeleterSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CreatorIPAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DeleterIPAddress
identifier: Address
entityType: IP
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6852d9da-8015-4b95-8ecf-d9572ee0395d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6852d9da-8015-4b95-8ecf-d9572ee0395d')]",
"properties": {
"alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d",
"customDetails": null,
"description": "'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'\n",
"displayName": "Suspicious Service Principal creation activity",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "CreatorUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "CreatorName",
"identifier": "Name"
},
{
"columnName": "CreatorUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "DeleterUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "DeleterName",
"identifier": "Name"
},
{
"columnName": "DeleterSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "CreatorIPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DeleterIPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml",
"query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime\n| extend CreatorName = tostring(split(CreatorUserPrincipalName, \"@\")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, \"@\")[1])\n| extend DeleterName = tostring(split(DeleterUserPrincipalName, \"@\")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, \"@\")[1])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT70M",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"InitialAccess",
"PrivilegeEscalation"
],
"techniques": [
"T1078",
"T1528"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}