Service Principal Sign In From New Country
Query
let KnownCountries = AADServicePrincipalSignInLogs
| where TimeGenerated between (ago(14d) .. ago(70m))
| where ResultType == 0
| extend Country = tostring(todynamic(LocationDetails).countryOrRegion)
| summarize by AppId, Country;
AADServicePrincipalSignInLogs
| where ingestion_time() > ago(60m)
| where ResultType == 0
| extend Country = tostring(todynamic(LocationDetails).countryOrRegion)
| join kind=leftanti KnownCountries on AppId, CountryExplanation
This query is designed to detect unusual sign-in activity by service principals in Azure Active Directory. Here's a simplified breakdown of what it does:
-
Purpose: The query identifies successful sign-ins by service principals from countries that have not been observed in the last 14 days. This could indicate that the credentials have been compromised and are being used from an unexpected location.
-
Baseline Establishment: It first creates a list of "known" countries for each service principal (identified by AppId) based on successful sign-ins over the past 14 days.
-
Detection of Anomalies: It then checks for any new sign-ins in the last hour and compares them against this list. If a sign-in occurs from a country not in the baseline, it is flagged as suspicious.
-
Alert Configuration: If such an anomaly is detected, an alert is generated with a medium severity level. The alert is configured to create an incident, and similar alerts can be grouped together for better incident management.
-
Frequency and Period: The query runs every hour and looks back over a 14-day period to establish the baseline.
-
Tactics and Techniques: It is associated with the "Initial Access" tactic and the technique "T1078.004", which relates to compromised credentials.
Overall, this query helps in identifying potential security threats by monitoring for unusual sign-in patterns by service principals.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 14d