KQL Search

Query Details

AR 003 App Credential Added Outside Business Hours

Query

id: c3d4e5f6-0003-4061-a123-ccddeeff0011
name: Credential Added to Application Registration Outside Business Hours
description: |
  Detects a new secret or certificate being added to an existing Entra ID
  application registration between 20:00–08:00 local UTC or on weekends.
  Attackers who have compromised a Global Admin or Application Admin account
  add credentials to high-value apps to establish persistence that survives
  password resets. Legitimate DevOps pipelines are expected during working
  hours; out-of-hours changes are anomalous and require investigation.

  Adjust the BusinessHoursStart / BusinessHoursEnd variables to match your
  organization's working hours.

  Reference: MicroBurst   https://github.com/NetSPI/MicroBurst
             AADInternals  https://github.com/Gerenios/AADInternals
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
relevantTechniques:
  - T1098.001
query: |
  // --- Configurable thresholds ---
  let BusinessHoursStart = 8;   // 08:00 UTC
  let BusinessHoursEnd   = 20;  // 20:00 UTC
  // --------------------------------
  AuditLogs
  | where TimeGenerated > ago(1d)
  | where ActivityDisplayName in (
      "Update application \u2013 Certificates and secrets management ",
      "Create application \u2013 Certificates and secrets management ",
      "Add service principal credentials",
      "Update service principal")
  | mv-expand Prop = TargetResources[0].modifiedProperties
  | where tostring(Prop.displayName) has_any (
      "KeyCredentials",
      "PasswordCredentials",
      "Credential",
      "Secret",
      "Certificate")
  | where Result == "success"
  | extend HourOfDay  = toint(format_datetime(TimeGenerated, "HH"))
  | extend DayOfWeek  = dayofweek(TimeGenerated) / 1d  // 0=Sun, 6=Sat
  | where HourOfDay < BusinessHoursStart
       or HourOfDay >= BusinessHoursEnd
       or DayOfWeek == 0
       or DayOfWeek == 6
  | extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
  | extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
  | extend TargetApp      = tostring(TargetResources[0].displayName)
  | extend TargetAppId    = tostring(TargetResources[0].id)
  | extend CredType       = tostring(Prop.displayName)
  | project
      TimeGenerated,
      Actor,
      InitiatedByUPN,
      TargetApp,
      TargetAppId,
      CredType,
      HourOfDay,
      DayOfWeek,
      ActivityDisplayName,
      LoggedByService,
      CorrelationId

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatedByUPN
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: TargetApp

customDetails:
  TargetAppId: TargetAppId
  CredentialType: CredType
  HourUTC: HourOfDay

alertDetailsOverride:
  alertDisplayNameFormat: "Out-of-hours credential add to app '{{TargetApp}}' by {{Actor}} at hour {{HourOfDay}} UTC"
  alertDescriptionFormat: "Actor {{Actor}} added a {{CredType}} credential to application '{{TargetApp}}' ({{TargetAppId}}) at {{TimeGenerated}} UTC (hour {{HourOfDay}}, day {{DayOfWeek}}), which is outside business hours."

suppressionDuration: PT4H
suppressionEnabled: false
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious activity involving the addition of credentials (like secrets or certificates) to application registrations in Microsoft Entra ID (formerly Azure Active Directory) outside of normal business hours. Here's a simple breakdown:

  1. Purpose: The query identifies when credentials are added to applications outside of typical working hours (8:00 AM to 8:00 PM UTC) or during weekends. This is important because attackers might exploit compromised admin accounts to add credentials to high-value applications, ensuring their access persists even after password resets.

  2. Data Source: It uses audit logs from Azure Active Directory to track these changes.

  3. Detection Logic:

    • The query looks for specific activities related to credential management in applications, such as updating or creating certificates and secrets.
    • It checks if these activities occurred outside the defined business hours or on weekends.
    • If such activities are detected, it collects details like the time of the activity, the user or application that initiated it, the target application, and the type of credential added.

  4. Alerting: If any out-of-hours credential additions are found, an alert is generated. The alert includes details about who made the change, what type of credential was added, and to which application, along with the time of the activity.

  5. Customization: The business hours can be adjusted to fit the organization's specific working hours.

  6. Severity and Response: The severity of this alert is marked as "Medium," indicating that while it may not be immediately critical, it requires investigation to rule out malicious activity.

Overall, this query helps organizations monitor and respond to potentially unauthorized changes to application credentials, enhancing security by identifying anomalies that could indicate a security breach.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsEntraIDApplicationRegistrationGlobalAdminApplicationAdminDevOpsUTCActorCredentialSecretCertificateTargetAppTargetAppIdInitiatedByUPNInitiatedByApp

Operators

letagoinmv-expandtostringhas_anytointformat_datetimedayofweekoriffisnotemptyproject

Actions