Techniques
Sample rules
Microsoft Entra ID Service Principal Credentials Added by Rare User
- source: elastic
- technicques:
- T1098
Description
Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.
Detection logic
event.dataset: "azure.auditlogs"
and azure.auditlogs.operation_name:"Add service principal credentials"
and event.outcome: "success"