KQL Search

Query Details

HomeAI ToolsDevice Query

Service Principal Sign In From New Country

Query

id: a69eaa7b-d74b-45e7-b656-f64daad61b3d
name: Service Principal Sign-in from New Country
version: 1.0.0
kind: Scheduled
description: This rule detects successful sign-ins (ResultType == 0) by a Service Principal from a country that has not been observed in the preceding 14 days. It establishes a baseline of "known" locations for each AppId over a two-week period and alerts when a login occurs from a location outside of this baseline. This behavior may indicate that a Service Principal's credentials have been compromised and are being used from an anomalous location.
severity: Medium
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |-
  let KnownCountries = AADServicePrincipalSignInLogs
      | where TimeGenerated between (ago(14d) .. ago(70m)) 
      | where ResultType == 0
      | extend Country = tostring(todynamic(LocationDetails).countryOrRegion)
      | summarize by AppId, Country;
  AADServicePrincipalSignInLogs
  | where ingestion_time() > ago(60m)
  | where ResultType == 0
  | extend Country = tostring(todynamic(LocationDetails).countryOrRegion)
  | join kind=leftanti KnownCountries on AppId, Country
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h

Explanation

This query is designed to detect unusual sign-in activity by service principals in Azure Active Directory. Here's a simplified breakdown of what it does:

  1. Purpose: The query identifies successful sign-ins by service principals from countries that have not been observed in the last 14 days. This could indicate that the credentials have been compromised and are being used from an unexpected location.

  2. Baseline Establishment: It first creates a list of "known" countries for each service principal (identified by AppId) based on successful sign-ins over the past 14 days.

  3. Detection of Anomalies: It then checks for any new sign-ins in the last hour and compares them against this list. If a sign-in occurs from a country not in the baseline, it is flagged as suspicious.

  4. Alert Configuration: If such an anomaly is detected, an alert is generated with a medium severity level. The alert is configured to create an incident, and similar alerts can be grouped together for better incident management.

  5. Frequency and Period: The query runs every hour and looks back over a 14-day period to establish the baseline.

  6. Tactics and Techniques: It is associated with the "Initial Access" tactic and the technique "T1078.004", which relates to compromised credentials.

Overall, this query helps in identifying potential security threats by monitoring for unusual sign-in patterns by service principals.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AADServicePrincipalSignInLogs

Keywords

ServicePrincipalSignInLogsLocationDetailsAppIdCountryResultTypeTimeGeneratedIngestionTime

Operators

letwherebetweenagoextendtostringtodynamicsummarizeingestion_timejoinkind=leftanti

Actions