Rules Contributing to Suspicious Microsoft Entra Service Principal Activity Alert

The following rules are used to identify suspicious Microsoft Entra service principal activity. Any one or more of these will trigger the Suspicious Microsoft Entra Service Principal Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Service Principal Created

Identifies when a service principal is created in Azure.

More details

Rule ID

azure_74

Query

{'selection': {'properties_message': 'Add service principal'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,0ddcff6d-d262-40b0-804b-80eb592de8e3

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1578

References

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy

Severity

Suppression Logic Based On

azure_ad.initiatedBy.user.id
azure_ad.initiatedBy.app.servicePrincipalId
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/09/02	medium	Service principal being created may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Azure Service Principal Removed

Identifies when a service principal was removed in Azure.