Query Details

Service Principal Authenticating from Anomalous IP Spread

21 Service Principal Anomalous IP Spread

Query

AADServicePrincipalSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize
    SignInCount = count(),
    UniqueIPs   = dcount(IPAddress),
    IPs         = make_set(IPAddress),
    Countries   = make_set(Location),
    FirstSeen   = min(TimeGenerated)
  by ServicePrincipalName, ServicePrincipalId, AppId
| where UniqueIPs > 3
| extend IPAddress = tostring(IPs[0])
| order by UniqueIPs desc

Explanation

This query is designed to detect unusual behavior in service principals (workload identities) by identifying instances where they authenticate from four or more different IP addresses within a 24-hour period. Normally, service principals should authenticate from a consistent set of IP addresses, such as those belonging to application servers or pipelines. A wide spread of IP addresses could indicate that the credentials have been compromised and are being used by attackers from multiple locations.

Here's a simplified breakdown of the query:

  1. Data Source: It uses logs from Azure Active Directory, specifically the AADServicePrincipalSignInLogs.

  2. Time Frame: It examines sign-in logs from the past 24 hours.

  3. Successful Logins: It filters for successful authentication attempts (ResultType == 0).

  4. Aggregation: It counts the number of sign-ins and the number of distinct IP addresses used by each service principal.

  5. Anomaly Detection: It flags service principals that have authenticated from more than three distinct IP addresses.

  6. Alerting: If such an anomaly is detected, an alert is generated with details about the service principal and the IP addresses used.

  7. Severity and Techniques: The alert is categorized with a medium severity and is associated with specific MITRE ATT&CK techniques related to credential access and persistence.

  8. Incident Management: If an alert is triggered, an incident is created to facilitate investigation, with options for grouping related alerts.

The query is part of a community rule contributed by David Alonso and is intended for threat hunting and security monitoring purposes.

Details

David Alonso profile picture

David Alonso

Released: June 12, 2026

Tables

AADServicePrincipalSignInLogs

Keywords

AzureActiveDirectoryAADServicePrincipalSignInLogsServicePrincipalNameServicePrincipalIdAppIdIPAddressLocationTimeGeneratedCloudApplicationIP

Operators

wheresummarizecountdcountmake_setminextendtostringorder by

Severity

Medium

Tactics

CredentialAccessPersistenceLateralMovement

MITRE Techniques

Frequency: PT4H

Period: PT24H

Actions

GitHub