LoFP / service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.

Techniques

• T1078.004

Sample rules

Azure AD Service Principal Authentication

• source: splunk
• technicques:
  • T1078.004

Description

The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the azure_monitor_aad data source, specifically targeting “Sign-in activity” within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.

Detection logic

`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs 
| rename properties.* as * 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_service_principal_authentication_filter`