LoFP / new ci/cd pipeline deployments using github actions, azure devops, or kubernetes oidc will trigger this rule when federated authentication is first used. validate the issuer url against approved identity providers.

Techniques

• T1078
• T1550

Sample rules

Entra ID Service Principal Federated Credential Authentication by Unusual Client

• source: elastic
• technicques:
  • T1078
  • T1550

Description

Identifies when a service principal authenticates using a federated identity credential for the first time in the historical window. This indicates that Entra ID validated a JWT token potentially against an external OIDC identity provider and issued an access token. While legitimate for CI/CD workflows (GitHub Actions, Azure DevOps), adversaries may abuse this by configuring rogue identity providers (BYOIDP) to authenticate as compromised applications. First-time federated credential usage for a service principal warrants investigation to determine if the external identity provider is legitimate.

Detection logic

event.dataset: "azure.signinlogs"
    and azure.signinlogs.category: "ServicePrincipalSignInLogs"
    and azure.signinlogs.properties.client_credential_type: "federatedIdentityCredential"
    and azure.signinlogs.result_signature: "SUCCESS"
    and azure.signinlogs.properties.app_id: *
    and not azure.signinlogs.properties.app_owner_tenant_id: (
        "f8cdef31-a31e-4b4a-93e4-5f571e91255a" or
        "72f988bf-86f1-41af-91ab-2d7cd011db47"
    )