Query Details
Audit Detect First Time Service Principal Creation
Query
//Detects users who add a service principal to Azure AD for the first time.
//Data connector required for this query - Azure Active Directory - Audit Logs
let knownusers=
AuditLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(1d)
| where OperationName == "Add service principal"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(Actor)
| distinct Actor;
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName == "Add service principal"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(Actor)
| where Actor !in (knownusers)
| extend AppId = tostring(AdditionalDetails[1].value)
| project TimeGenerated, Actor, AppIdExplanation
This query detects users who have added a service principal to Azure AD for the first time. It uses the Azure Active Directory - Audit Logs data connector.
First, it retrieves a list of known users who have performed this action in the past 90 days.
Then, it searches for recent audit logs where the operation is "Add service principal" and the actor (user) is not in the list of known users.
Finally, it projects the time generated, actor (user), and application ID for the service principal.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Users,ServicePrincipal,AzureAD,AuditLogs
Operators
letknownusers=AuditLogs|whereTimeGenerated>ago(90d)and<ago(1d)|whereOperationName=="Add service principal"|extendActor=tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)|whereisnotempty(Actor)|distinctActor;AuditLogs|whereTimeGenerated>ago(1d)|whereOperationName=="Add service principal"|extendActor=tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)|whereisnotempty(Actor)|whereActor!in(knownusers)|extendAppId=tostring(AdditionalDetails[1].value)|projectTimeGeneratedActorAppId.