Techniques
Sample rules
Azure AD Service Principal Created
- source: splunk
- technicques:
- T1136.003
Description
The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment.
Detection logic
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_created_filter`