a service principal may be created by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. service principal additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1136
azure
elastic

Techniques

T1136

Sample rules

Microsoft Entra ID Service Principal Created

source: elastic
technicques:
- T1136

Description

Identifies when a new service principal is added in Microsoft Entra ID. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

Detection logic

event.dataset:azure.auditlogs
    and azure.auditlogs.operation_name:"Add service principal"
    and event.outcome:(success or Success)
    and not azure.auditlogs.identity: (
        "Managed Service Identity" or
        "Windows Azure Service Management API" or
        "Microsoft Azure AD Internal - Jit Provisioning" or
        "AAD App Management" or
        "Power Virtual Agents Service"
        )