Query Details

New Service Principal Performing Provisioning

11 AAD Prov New Service Principal

Query

let Recent =
    AADProvisioningLogs
    | where TimeGenerated > ago(1d)
    | extend SPName = tostring(parse_json(ServicePrincipal).Name),
             SPId   = tostring(parse_json(ServicePrincipal).Id)
    | summarize
        RecentEvents = count(),
        FirstSeen    = min(TimeGenerated),
        LastSeen     = max(TimeGenerated),
        Operations   = make_set(OperationName, 10),
        Targets      = make_set(tostring(parse_json(TargetIdentity).userPrincipalName), 30)
      by SPId, SPName
    // Conservative: ignore one-off probes
    | where RecentEvents >= 50;
let Historical =
    AADProvisioningLogs
    | where TimeGenerated between (ago(14d) .. ago(1d))
    | extend SPId = tostring(parse_json(ServicePrincipal).Id)
    | distinct SPId;
Recent
| where SPId !in (Historical)
| order by RecentEvents desc

Explanation

This query is designed to detect unusual activity by a new Service Principal (SP) in Azure Active Directory. It identifies SPs that have started performing provisioning operations for the first time in the last 30 days and have generated at least 50 events in the past 24 hours. This could indicate a potential security threat, such as an attacker using a newly registered application to manipulate accounts or write unauthorized data.

Here's a simplified breakdown of the query:

  1. Purpose: To detect new Service Principals that are performing provisioning operations for the first time in the last 30 days and have a high volume of activity (50 or more events) in the last 24 hours.

  2. Data Source: It uses logs from Azure Active Directory, specifically the AADProvisioningLogs.

  3. Logic:

    • Recent Activity: It checks for Service Principals that have been active in the last 24 hours and counts their events.
    • Historical Check: It ensures these Service Principals have not been seen performing provisioning operations in the previous 30 days.
    • Alert Generation: If a Service Principal meets these criteria, an alert is generated.
  4. Severity and Tactics: The alert is marked with medium severity and is associated with persistence and privilege escalation tactics, referencing specific MITRE ATT&CK techniques.

  5. Alert Details: The alert includes details such as the name of the Service Principal, the number of operations, and the types of operations performed. It suggests verifying the SP against an approved application inventory.

  6. Incident Management: The query is set to create an incident if such activity is detected, with specific configurations for grouping and managing incidents.

Overall, this query helps security teams monitor for potentially unauthorized or suspicious provisioning activities by new Service Principals, which could indicate a supply chain attack or persistence mechanism by an attacker.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ServicePrincipalProvisioningOperationsEntraIDAzureActiveDirectoryAADProvisioningLogsCloudApplication

Operators

letwhereagoextendtostringparse_jsonsummarizecountminmaxmake_setbybetweendistinct!inorder bydesc

Severity

Medium

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 6h

Period: 14d

Actions

GitHub