LoFP / service principal created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Service Principal Created

• source: sigma
• technicques:

Description

Identifies when a service principal is created in Azure.

Detection logic

condition: selection
selection:
  properties.message: Add service principal