Query Details

Credential Added to Application Registration Outside Business Hours

AR 003 App Credential Added Outside Business Hours

Query

// --- Configurable thresholds ---
let BusinessHoursStart = 8;   // 08:00 UTC
let BusinessHoursEnd   = 20;  // 20:00 UTC
// --------------------------------
AuditLogs
| where TimeGenerated > ago(1d)
| where ActivityDisplayName in (
    "Update application \u2013 Certificates and secrets management ",
    "Create application \u2013 Certificates and secrets management ",
    "Add service principal credentials",
    "Update service principal")
| mv-expand Prop = TargetResources[0].modifiedProperties
| where tostring(Prop.displayName) has_any (
    "KeyCredentials",
    "PasswordCredentials",
    "Credential",
    "Secret",
    "Certificate")
| where Result == "success"
| extend HourOfDay  = toint(format_datetime(TimeGenerated, "HH"))
| extend DayOfWeek  = dayofweek(TimeGenerated) / 1d  // 0=Sun, 6=Sat
| where HourOfDay < BusinessHoursStart
     or HourOfDay >= BusinessHoursEnd
     or DayOfWeek == 0
     or DayOfWeek == 6
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetApp      = tostring(TargetResources[0].displayName)
| extend TargetAppId    = tostring(TargetResources[0].id)
| extend CredType       = tostring(Prop.displayName)
| project
    TimeGenerated,
    Actor,
    InitiatedByUPN,
    TargetApp,
    TargetAppId,
    CredType,
    HourOfDay,
    DayOfWeek,
    ActivityDisplayName,
    LoggedByService,
    CorrelationId

Explanation

This query is designed to detect suspicious activity involving the addition of credentials (like secrets or certificates) to application registrations in Microsoft Entra ID (formerly Azure Active Directory) outside of normal business hours. Here's a simple breakdown:

  1. Purpose: The query identifies when credentials are added to applications outside of typical working hours (8:00 AM to 8:00 PM UTC) or during weekends. This is important because attackers might exploit compromised admin accounts to add credentials to high-value applications, ensuring their access persists even after password resets.

  2. Data Source: It uses audit logs from Azure Active Directory to track these changes.

  3. Detection Logic:

    • The query looks for specific activities related to credential management in applications, such as updating or creating certificates and secrets.
    • It checks if these activities occurred outside the defined business hours or on weekends.
    • If such activities are detected, it collects details like the time of the activity, the user or application that initiated it, the target application, and the type of credential added.
  4. Alerting: If any out-of-hours credential additions are found, an alert is generated. The alert includes details about who made the change, what type of credential was added, and to which application, along with the time of the activity.

  5. Customization: The business hours can be adjusted to fit the organization's specific working hours.

  6. Severity and Response: The severity of this alert is marked as "Medium," indicating that while it may not be immediately critical, it requires investigation to rule out malicious activity.

Overall, this query helps organizations monitor and respond to potentially unauthorized changes to application credentials, enhancing security by identifying anomalies that could indicate a security breach.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsEntraIDApplicationRegistrationGlobalAdminDevOpsUTCActorCredentialSecretCertificateTargetAppTargetAppIdInitiatedByUPNInitiatedByApp

Operators

letagoinmv-expandtostringhas_anytointformat_datetimedayofweekoriffisnotemptyproject

Severity

Medium

Tactics

Persistence

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub