Service Principal Authenticating from Anomalous IP Spread
21 Service Principal Anomalous IP Spread
Query
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize
SignInCount = count(),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated)
by ServicePrincipalName, ServicePrincipalId, AppId
| where UniqueIPs > 3
| extend IPAddress = tostring(IPs[0])
| order by UniqueIPs descExplanation
This query is designed to detect unusual behavior in service principals (workload identities) by identifying instances where they authenticate from four or more different IP addresses within a 24-hour period. Normally, service principals should authenticate from a consistent set of IP addresses, such as those belonging to application servers or pipelines. A wide spread of IP addresses could indicate that the credentials have been compromised and are being used by attackers from multiple locations.
Here's a simplified breakdown of the query:
-
Data Source: It uses logs from Azure Active Directory, specifically the
AADServicePrincipalSignInLogs. -
Time Frame: It examines sign-in logs from the past 24 hours.
-
Successful Logins: It filters for successful authentication attempts (
ResultType == 0). -
Aggregation: It counts the number of sign-ins and the number of distinct IP addresses used by each service principal.
-
Anomaly Detection: It flags service principals that have authenticated from more than three distinct IP addresses.
-
Alerting: If such an anomaly is detected, an alert is generated with details about the service principal and the IP addresses used.
-
Severity and Techniques: The alert is categorized with a medium severity and is associated with specific MITRE ATT&CK techniques related to credential access and persistence.
-
Incident Management: If an alert is triggered, an incident is created to facilitate investigation, with options for grouping related alerts.
The query is part of a community rule contributed by David Alonso and is intended for threat hunting and security monitoring purposes.
Details

David Alonso
Released: June 12, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT4H
Period: PT24H