KQL Search

Query Details

16 AAD Prov SP Credential Added

Query

id: 9b1a0010-1010-4110-9110-aadprov00010
name: Provisioning ServicePrincipal Credential Added or Rotated
version: 1.0.0
kind: Scheduled
description: |
  Detects new client certificates or client secrets added to a service
  principal that has been observed performing provisioning operations in the
  last 30 days. Per Cloud-Architekt T1098.001 mapping, adding credentials
  ("Additional Cloud Credentials") to a provisioning SP is a high-value
  persistence primitive: the attacker keeps using legitimate provisioning
  flows but with credentials only they hold.
  Triggers on `Add service principal credentials` / `Update application -
  Certificates and secrets management` audit events whose target SP intersects
  with the active provisioning-SP inventory.
  MITRE ATT&CK: T1098.001 (Account Manipulation: Additional Cloud
  Credentials), T1550.001 (Use Alternate Authentication Material:
  Application Access Token).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
      - AADProvisioningLogs
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - PrivilegeEscalation
  - DefenseEvasion
relevantTechniques:
  - T1098
  - T1550
query: |
  let ProvisioningSPs =
      AADProvisioningLogs
      | where TimeGenerated > ago(14d)
      | extend SPId   = tostring(parse_json(ServicePrincipal).Id),
               SPName = tostring(parse_json(ServicePrincipal).Name)
      | summarize Events = count() by SPId, SPName
      | where Events >= 10
      | project SPId, SPName;
  AuditLogs
  | extend IPAddress = tostring(InitiatedBy.user.ipAddress)
  | invoke ExcludeAllowlistedIPs()
  | where TimeGenerated > ago(1h)
  | where OperationName has_any (
        "Add service principal credentials",
        "Update application - Certificates and secrets management",
        "Update application",
        "Add owner to service principal",
        "Update service principal"
    )
  | mv-expand TargetResources
  | extend TargetSPId   = tostring(TargetResources.id),
           TargetSPName = tostring(TargetResources.displayName)
  | extend Actor    = coalesce(tostring(InitiatedBy.user.userPrincipalName),
                                tostring(InitiatedBy.app.displayName))
  | extend SourceIP = tostring(InitiatedBy.user.ipAddress)
  | extend ModProps = tostring(TargetResources.modifiedProperties)
  | where ModProps has_any (
        "KeyDescription","PasswordCredentials","KeyCredentials",
        "keyDescription","passwordCredentials","keyCredentials"
    )
  | join kind=inner (ProvisioningSPs) on $left.TargetSPId == $right.SPId
  | project TimeGenerated, OperationName, Actor, SourceIP,
            TargetSPName, TargetSPId, ModProps, Result
  | order by TimeGenerated desc
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: TargetSPName
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Actor
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIP
customDetails:
  OperationName: OperationName
  TargetSPName: TargetSPName
  Actor: Actor
alertDetailsOverride:
  alertDisplayNameFormat: "Credentials added to provisioning SP {{TargetSPName}} by {{Actor}}"
  alertDescriptionFormat: "{{Actor}} added/rotated credentials on provisioning ServicePrincipal {{TargetSPName}}. Validate against approved certificate-rotation change ticket."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT24H
    matchingMethod: AnyAlert
    groupByEntities:
      - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect when new credentials (like client certificates or secrets) are added or rotated for a service principal that has been actively involved in provisioning operations within the last 30 days. Here's a simplified breakdown:

  1. Purpose: The query aims to identify potential security risks by monitoring changes to service principal credentials. This is important because attackers might exploit legitimate provisioning processes using credentials they control.

  2. Data Sources: It uses data from Azure Active Directory's Audit Logs and Provisioning Logs.

  3. Detection Logic:

    • It first identifies service principals that have been involved in at least 10 provisioning events in the past 14 days.
    • Then, it looks for audit events in the last hour where credentials were added or updated for these service principals.
    • It excludes any events from allowlisted IP addresses to focus on potentially suspicious activities.

  4. Alerting:

    • If such an event is detected, it triggers an alert with a high severity level.
    • The alert includes details like the operation name, the actor who initiated the change, the source IP address, and the target service principal's name and ID.

  5. MITRE ATT&CK Mapping: The query is mapped to specific MITRE ATT&CK techniques related to account manipulation and the use of alternate authentication materials.

  6. Incident Management: When an alert is triggered, it can create an incident, grouping related alerts to help streamline investigation.

In essence, this query helps security teams identify unauthorized or suspicious changes to service principal credentials, which could indicate a security breach or misuse of provisioning capabilities in a cloud environment.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogsAuditLogs

Keywords

ProvisioningServicePrincipalCredentialsAuditLogsAADProvisioningLogsCloudApplicationAccountIP

Operators

letwhereextendtostringparse_jsonsummarizecountprojectinvokehas_anymv-expandcoalescejoinonorder bydesc

Actions