HQ 002 New App Immediate Credential Add
Query
// =========================================================================
// HQ-002: New Application Registration with Immediate Credential Addition
// =========================================================================
// Description : Joins app creation events with credential-add events within
// a 5-minute window. Legitimate DevOps pipelines register apps
// and add secrets, but so do ROADtools and MicroBurst when
// setting up OAuth infrastructure for token abuse or persistence.
// Review the actor and app display name for anomalies.
// MITRE ATT&CK: TA0003 Persistence
// T1098.001 – Additional Cloud Credentials
// Tools : ROADtools, MicroBurst, AADInternals, CloudKatana
// Severity : Medium-High
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
let Lookback = 1d;
let CredWindow = 5m;
let AppCreations = AuditLogs
| where TimeGenerated > ago(Lookback)
| where ActivityDisplayName in (
"Add application",
"Create application \u2013 Certificates and secrets management ")
| extend AppObjectId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| extend CreatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend CreatorApp = tostring(InitiatedBy.app.displayName)
| extend CreatorActor = iff(isnotempty(CreatorUPN), CreatorUPN, CreatorApp)
| project CreatedAt = TimeGenerated, AppObjectId, AppName, CreatorActor, CreatorUPN, CreatorApp, CorrelationId;
let CredAdds = AuditLogs
| where TimeGenerated > ago(Lookback)
| where ActivityDisplayName in (
"Update application \u2013 Certificates and secrets management ",
"Create application \u2013 Certificates and secrets management ",
"Add service principal credentials",
"Update service principal")
| mv-expand Prop = TargetResources[0].modifiedProperties
| where tostring(Prop.displayName) has_any ("KeyCredentials","PasswordCredentials","Credential","Secret","Certificate")
| extend AppObjectId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| extend CredActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend CredActorApp = tostring(InitiatedBy.app.displayName)
| extend CredActor = iff(isnotempty(CredActorUPN), CredActorUPN, CredActorApp)
| extend CredType = tostring(Prop.displayName)
| project CredAddedAt = TimeGenerated, AppObjectId, AppName, CredActor, CredActorUPN, CredType;
AppCreations
| join kind=inner CredAdds on AppObjectId
| where CredAddedAt > CreatedAt
| where CredAddedAt <= CreatedAt + CredWindow
| extend MinutesBetween = datetime_diff('minute', CredAddedAt, CreatedAt)
| project
AppName,
AppObjectId,
CreatedAt,
CredAddedAt,
MinutesBetween,
CreatorActor,
CredActor,
CredType
| order by CreatedAt descExplanation
This query is designed to detect potentially suspicious activity in Azure Active Directory by identifying new applications that have credentials added to them within a short time frame. Here's a simplified breakdown:
-
Purpose: The query aims to find instances where a new application is registered and credentials (like secrets or certificates) are added to it within 5 minutes. This can be a legitimate action by DevOps teams, but it can also indicate malicious activity, such as setting up OAuth infrastructure for token abuse.
-
Data Source: It uses the
AuditLogsfrom Azure Active Directory to track these events. -
Steps:
- AppCreations: It first filters logs to find events where applications are created. It extracts details like the application ID, name, and the actor (user or app) who created it.
- CredAdds: It then filters logs to find events where credentials are added or updated for applications. It extracts similar details, including the type of credential added.
- Joining Data: The query joins these two sets of events on the application ID to find cases where credentials were added shortly after the application was created.
- Time Window: It ensures that the credential addition happened within 5 minutes after the application creation.
- Output: The results include details such as the application name, the time of creation and credential addition, the actors involved, and the type of credential added. The results are sorted by the creation time of the application.
-
Use Case: This query helps security teams monitor for unusual patterns that might indicate unauthorized or suspicious activities, such as the use of tools like ROADtools or MicroBurst for malicious purposes.
Details

David Alonso
Released: April 6, 2026
Tables
Keywords
Operators
MITRE Techniques