Adversaries may be using credentials added from Country X to access systems while signing in from Country Y, indicating potential credential theft or multi-factor bypass. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or persistent access attempts.
KQL Query
let timewindow = 1d;
let addedApps = (
CloudAppEvents
| where Application == "Office 365"
| where ActionType in ("Add service principal credentials.", "Update application - Certificates and secrets management ")
| project AddedTimestamp = Timestamp , AppName = tostring(RawEventData.Target[3].ID), CountryCode );
EntraIdSpnSignInEvents
| join addedApps on $left.ServicePrincipalName == $right.AppName
| where CountryCode != Country and AddedTimestamp + timewindow > Timestamp
id: 9644e2ae-07a2-4086-a85a-6ee2bca45f4e
name: AddedCredentialFromContryXAndSigninFromCountryY
description: |
Added credential from country X and Signed-In from country Y in a pecific time window:
This query tries to find all applications that credentials were added to them from country X while the application's identity Signed-In from country Y in a specific time window.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- EntraIdSpnSignInEvents
tactics:
- Persistence
query: |
let timewindow = 1d;
let addedApps = (
CloudAppEvents
| where Application == "Office 365"
| where ActionType in ("Add service principal credentials.", "Update application - Certificates and secrets management ")
| project AddedTimestamp = Timestamp , AppName = tostring(RawEventData.Target[3].ID), CountryCode );
EntraIdSpnSignInEvents
| join addedApps on $left.ServicePrincipalName == $right.AppName
| where CountryCode != Country and AddedTimestamp + timewindow > Timestamp
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator adds a new service account credential from Country X to manage a scheduled job in Country Y.
Filter/Exclusion: Exclude service accounts or credentials associated with scheduled jobs (e.g., task scheduler, cron jobs, or SQL Server Agent Jobs).
Scenario: A developer uses a remote desktop tool (e.g., Microsoft Remote Desktop, TeamViewer) to add a credential from Country X to a development server located in Country Y.
Filter/Exclusion: Exclude credentials added via remote desktop tools or from known development environments (e.g., dev, test, or staging environments).
Scenario: A security team member adds a new credential from Country X to a monitoring tool (e.g., Splunk, ELK Stack) for logging purposes, and later signs in from Country Y to review logs.
Filter/Exclusion: Exclude credentials added by security teams or used for monitoring tools (e.g., Splunk, Logstash, Kibana).
Scenario: A backup job runs from a cloud provider in Country X, which adds a credential to a backup application, and the backup process authenticates from Country Y.
Filter/Exclusion: Exclude credentials used by backup systems (e.g., Veeam, Commvault, AWS Backup) or jobs with known backup schedules.
Scenario: An IT support technician adds a credential from Country X to a helpdesk tool (e.g., ServiceNow, Zendesk) and later signs in from Country Y to access support tickets.
Filter/Exclusion: Exclude credentials used by helpdesk or support tools (e.g., ServiceNow, Zendesk, Freshdesk) or users with IT support roles.