HUNT-06 New ServicePrincipals Performing Provisioning (30d vs 90d)
HUNT 06 AAD Prov New Service Principals 30v90d
Query
let Recent =
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| extend SPName = tostring(parse_json(ServicePrincipal).Name),
SPId = tostring(parse_json(ServicePrincipal).Id)
| summarize
Events = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Operations = make_set(OperationName, 10),
Targets = dcount(TargetIdentity)
by SPId, SPName;
let Historical =
AADProvisioningLogs
| where TimeGenerated between (ago(120d) .. ago(30d))
| extend SPId = tostring(parse_json(ServicePrincipal).Id)
| distinct SPId;
Recent
| join kind=leftanti (Historical) on SPId
| order by Events descExplanation
This query is designed to identify new service principals (SPs) that have been actively involved in provisioning activities within the last 30 days but were not active in the preceding 60 days. Here's a simple breakdown of what the query does:
-
Data Source: It uses data from Azure Active Directory's provisioning logs.
-
Recent Activity: The query first looks at provisioning logs from the last 30 days. It extracts the name and ID of each service principal and summarizes their activity, including the number of events, the first and last time they were seen, the types of operations they performed, and the number of unique targets they interacted with.
-
Historical Activity: It then checks the logs from 30 to 120 days ago to find service principals that were active during that period.
-
Comparison: The query compares the two sets of data to find service principals that are active in the recent period but were not present in the historical period.
-
Output: The result is a list of service principals that are newly active in the last 30 days, sorted by the number of events they were involved in, in descending order.
This query is useful for identifying potentially suspicious new service principals that might be involved in persistence tactics, as defined by the MITRE ATT&CK framework technique T1136 (Create Account).
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques