Suspicious Service Principal creation activity
| Id | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| Rulename | Suspicious Service Principal creation activity |
| Description | This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes) |
| Severity | Low |
| Tactics | CredentialAccess PrivilegeEscalation InitialAccess |
| Techniques | T1078 T1528 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 70m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml |
| Version | 1.0.2 |
| Arm template | 6852d9da-8015-4b95-8ecf-d9572ee0395d.json |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime
queryPeriod: 70m
version: 1.0.2
relevantTechniques:
- T1078
- T1528
queryFrequency: 1h
kind: Scheduled
name: Suspicious Service Principal creation activity
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
entityMappings:
- fieldMappings:
- columnName: userPrincipalName_creator
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: userPrincipalName_deleter
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: ipAddress_creator
identifier: Address
entityType: IP
- fieldMappings:
- columnName: ipAddress_deleter
identifier: Address
entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml
severity: Low
query: |
let queryfrequency = 1h;
let wait_for_deletion = 10m;
let account_created =
AuditLogs
| where ActivityDisplayName == "Add service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend creationTime = ActivityDateTime
| extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_activity =
AADServicePrincipalSignInLogs
| extend Activities = pack("ActivityTime", TimeGenerated ,"IpAddress", IPAddress, "ResourceDisplayName", ResourceDisplayName)
| extend AppID = AppId
| summarize make_list(Activities) by AppID;
let account_deleted =
AuditLogs
| where OperationName == "Remove service principal"
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend deletionTime = ActivityDateTime
| extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);
let account_credentials =
AuditLogs
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where Result == "success"
| extend AppID = tostring(AdditionalDetails[1].value)
| extend credentialCreationTime = ActivityDateTime;
let roles_assigned =
AuditLogs
| where ActivityDisplayName == "Add app role assignment to service principal"
| extend AppID = tostring(TargetResources[1].displayName)
| extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)=="AppRole.Value", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),"")
| extend AssignedRoles = pack("Role", AssignedRole)
| summarize make_list(AssignedRoles) by AppID;
account_created
| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))
| join kind= inner (account_activity) on AppID
| join kind= inner (account_deleted) on AppID
| join kind= inner (account_credentials) on AppID
| join kind= inner (roles_assigned) on AppID
| where deletionTime - creationTime between (time(0s)..wait_for_deletion)
| extend AliveTime = deletionTime - creationTime
| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime
tactics:
- CredentialAccess
- PrivilegeEscalation
- InitialAccess
description: |
'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- AADServicePrincipalSignInLogs
status: Available
triggerThreshold: 0
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6852d9da-8015-4b95-8ecf-d9572ee0395d')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6852d9da-8015-4b95-8ecf-d9572ee0395d')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Suspicious Service Principal creation activity",
"description": "'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'\n",
"severity": "Low",
"enabled": true,
"query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT70M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"PrivilegeEscalation",
"InitialAccess"
],
"techniques": [
"T1078",
"T1528"
],
"alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName_creator"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName_deleter"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ipAddress_creator"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ipAddress_deleter"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml",
"status": "Available",
"templateVersion": "1.0.2"
}
}
]
}