Query Details
Identity Service Principal Summaryof Resources
Query
//Create a summary of which resources each of your service principals are connecting to. The higher the count the potential higher blast radius.
//Data connector required for this query - Azure Active Directory - Service Principal Signin Logs
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0"
| summarize
['List of Azure Resources']=make_set(ResourceDisplayName),
['Count of Azure Resources']=dcount(ResourceDisplayName)
by ServicePrincipalName
| sort by ['Count of Azure Resources'] descExplanation
This query analyzes the sign-in logs of service principals in Azure Active Directory to determine which resources they are connecting to. The query filters the logs to include only the past 30 days and only successful sign-ins. It then groups the resources by service principal and provides a list of the Azure resources each service principal is connecting to. The count of Azure resources is also calculated, indicating the potential impact or "blast radius" of each service principal. The results are sorted in descending order based on the count of Azure resources.
Details
Matt Zorich
Released: June 17, 2022
Tables
AADServicePrincipalSignInLogs
Keywords
AADServicePrincipalSignInLogs,TimeGenerated,ResultType,ResourceDisplayName,ServicePrincipalName,CountofAzureResources
Operators
whereago==summarizemake_setdcountbysortdesc