KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Service Principals Multiple Locations

Query

//Find Azure AD service principals that are logging on from multiple locations, this should be less common than with user accounts

//Data connector required for this query - Azure Active Directory - Service Principal Signin Logs

//Return the IP addresses used to sign in and see if you can build conditional access policies around them
//Microsoft Sentinel Query
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0"
| where isnotempty(Location)
| summarize
    ['Count of Locations']=dcount(Location),
    ['List of Locations']=make_set(Location),
    ['Count of IP Addresses']=dcount(IPAddress),
    ['List of IP Addresses']=make_set(IPAddress)
    by ServicePrincipalName, AppId
| where ['Count of Locations'] >= 2

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSpnSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == "0"
| where isnotempty(Country)
| summarize
    ['Count of Locations']=dcount(Country),
    ['List of Locations']=make_set(Country),
    ['Count of IP Addresses']=dcount(IPAddress),
    ['List of IP Addresses']=make_set(IPAddress)
    by ServicePrincipalName, ApplicationId
| where ['Count of Locations'] >= 2

Explanation

This query is used to find Azure AD service principals that are logging on from multiple locations. It retrieves the IP addresses used to sign in and provides a count and list of the locations and IP addresses. The query can be used to build conditional access policies based on these findings.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AADServicePrincipalSignInLogsAADSpnSignInEventsBeta

Keywords

AzureAD,ServicePrincipal,SigninLogs,IPAddresses,ConditionalAccessPolicies,MicrosoftSentinel,AdvancedHunting,AzureADP2License,Country

Operators

whereTimeGeneratedagoResultTypeisnotemptysummarizedcountmake_setbywhere['Count of Locations']['List of Locations']['Count of IP Addresses']['List of IP Addresses']ServicePrincipalNameAppId['Count of Locations']['List of Locations']['Count of IP Addresses']['List of IP Addresses']whereTimestampErrorCodeisnotemptysummarizedcountmake_setbyServicePrincipalNameApplicationId['Count of Locations']['List of Locations']['Count of IP Addresses']['List of IP Addresses']where['Count of Locations']

Actions