Query Details
11 AAD Prov New Service Principal
Query
id: 9b1a000b-100b-410b-910b-aadprov0000b
name: New Service Principal Performing Provisioning
version: 1.0.0
kind: Scheduled
description: |
Detects the first appearance of a `ServicePrincipal` performing provisioning
operations - i.e. an SP that has never been seen as a provisioning agent in
the previous 30 days but has emitted >= 50 events in the last 24 hours.
An unexpected new provisioning SP is a strong supply-chain / persistence
indicator: an attacker may have registered a SCIM app, granted
`User.ReadWrite.All` / `Directory.ReadWrite.All`, and started writing
arbitrary objects into Entra ID.
MITRE ATT&CK: T1136 (Create Account), T1098 (Account Manipulation),
T1078.004 (Valid Accounts: Cloud Accounts).
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADProvisioningLogs
queryFrequency: 6h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1136
- T1098
query: |
let Recent =
AADProvisioningLogs
| where TimeGenerated > ago(1d)
| extend SPName = tostring(parse_json(ServicePrincipal).Name),
SPId = tostring(parse_json(ServicePrincipal).Id)
| summarize
RecentEvents = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Operations = make_set(OperationName, 10),
Targets = make_set(tostring(parse_json(TargetIdentity).userPrincipalName), 30)
by SPId, SPName
// Conservative: ignore one-off probes
| where RecentEvents >= 50;
let Historical =
AADProvisioningLogs
| where TimeGenerated between (ago(14d) .. ago(1d))
| extend SPId = tostring(parse_json(ServicePrincipal).Id)
| distinct SPId;
Recent
| where SPId !in (Historical)
| order by RecentEvents desc
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: SPName
customDetails:
RecentEvents: RecentEvents
Operations: Operations
Targets: Targets
alertDetailsOverride:
alertDisplayNameFormat: "New provisioning ServicePrincipal observed: {{SPName}} ({{RecentEvents}} ops)"
alertDescriptionFormat: "SP {{SPName}} ({{SPId}}) has never performed provisioning in the prior 30 days but emitted {{RecentEvents}} operations in 24h. Validate against approved app inventory."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT24H
matchingMethod: AnyAlert
groupByEntities:
- CloudApplication
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect unusual activity by a new Service Principal (SP) in Azure Active Directory. It identifies SPs that have started performing provisioning operations for the first time in the last 30 days and have generated at least 50 events in the past 24 hours. This could indicate a potential security threat, such as an attacker using a newly registered application to manipulate accounts or write unauthorized data.
Here's a simplified breakdown of the query:
-
Purpose: To detect new Service Principals that are performing provisioning operations for the first time in the last 30 days and have a high volume of activity (50 or more events) in the last 24 hours.
-
Data Source: It uses logs from Azure Active Directory, specifically the
AADProvisioningLogs. -
Logic:
- Recent Activity: It checks for Service Principals that have been active in the last 24 hours and counts their events.
- Historical Check: It ensures these Service Principals have not been seen performing provisioning operations in the previous 30 days.
- Alert Generation: If a Service Principal meets these criteria, an alert is generated.
-
Severity and Tactics: The alert is marked with medium severity and is associated with persistence and privilege escalation tactics, referencing specific MITRE ATT&CK techniques.
-
Alert Details: The alert includes details such as the name of the Service Principal, the number of operations, and the types of operations performed. It suggests verifying the SP against an approved application inventory.
-
Incident Management: The query is set to create an incident if such activity is detected, with specific configurations for grouping and managing incidents.
Overall, this query helps security teams monitor for potentially unauthorized or suspicious provisioning activities by new Service Principals, which could indicate a supply chain attack or persistence mechanism by an attacker.
Details
David Alonso
Released: June 1, 2026
Tables
Keywords
Operators