Techniques
Sample rules
Microsoft Entra ID Service Principal Created
- source: elastic
- technicques:
- T1136
Description
Identifies when a new service principal is added in Microsoft Entra ID. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
Detection logic
event.dataset:azure.auditlogs
and azure.auditlogs.operation_name:"Add service principal"
and event.outcome:(success or Success)
and not azure.auditlogs.identity: (
"Managed Service Identity" or
"Windows Azure Service Management API" or
"Microsoft Azure AD Internal - Jit Provisioning" or
"AAD App Management" or
"Power Virtual Agents Service"
)