Query Details
21 Service Principal Anomalous IP Spread
Query
id: c6d2e4f5-a0b1-3c7d-8e9f-0a1b2c3d4e5f
name: Service Principal Authenticating from Anomalous IP Spread
description: |
Community rule by David Alonso (https://github.com/davidalonsod/Dalonso-Security-Repo). Licensed under The Unlicense.
Detects service principals (workload identities) successfully authenticating from
4 or more distinct IP addresses in a 24-hour period. Legitimate service principals
typically authenticate from a stable set of IPs (application servers, pipelines).
Wide IP spread indicates compromised service principal credentials being used
from multiple attacker machines or distributed attack infrastructure.
MITRE ATT&CK: T1078.004 (Cloud Accounts), T1528
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADServicePrincipalSignInLogs
queryFrequency: PT4H
queryPeriod: PT24H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- CredentialAccess
- Persistence
- LateralMovement
relevantTechniques:
- T1078
- T1528
query: |
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize
SignInCount = count(),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated)
by ServicePrincipalName, ServicePrincipalId, AppId
| where UniqueIPs > 3
| extend IPAddress = tostring(IPs[0])
| order by UniqueIPs desc
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: ServicePrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
alertDetailsOverride:
alertDisplayNameFormat: 'Service Principal Anomaly - {{ServicePrincipalName}} authenticated from {{UniqueIPs}} distinct IPs'
alertDescriptionFormat: 'Service principal ''{{ServicePrincipalName}}'' authenticated from {{UniqueIPs}} distinct IPs in 24 hours. Stable IP footprint expected for workload identities. Investigate for credential
compromise.'
customDetails:
ServicePrincipalId: ServicePrincipalId
UniqueIPCount: UniqueIPs
Countries: Countries
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- CloudApplication
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Community
- David Alonso
- Threat Hunting
Explanation
This query is designed to detect unusual behavior in service principals (workload identities) by identifying instances where they authenticate from four or more different IP addresses within a 24-hour period. Normally, service principals should authenticate from a consistent set of IP addresses, such as those belonging to application servers or pipelines. A wide spread of IP addresses could indicate that the credentials have been compromised and are being used by attackers from multiple locations.
Here's a simplified breakdown of the query:
-
Data Source: It uses logs from Azure Active Directory, specifically the
AADServicePrincipalSignInLogs. -
Time Frame: It examines sign-in logs from the past 24 hours.
-
Successful Logins: It filters for successful authentication attempts (
ResultType == 0). -
Aggregation: It counts the number of sign-ins and the number of distinct IP addresses used by each service principal.
-
Anomaly Detection: It flags service principals that have authenticated from more than three distinct IP addresses.
-
Alerting: If such an anomaly is detected, an alert is generated with details about the service principal and the IP addresses used.
-
Severity and Techniques: The alert is categorized with a medium severity and is associated with specific MITRE ATT&CK techniques related to credential access and persistence.
-
Incident Management: If an alert is triggered, an incident is created to facilitate investigation, with options for grouping related alerts.
The query is part of a community rule contributed by David Alonso and is intended for threat hunting and security monitoring purposes.
Details
David Alonso
Released: June 12, 2026
Tables
Keywords
Operators