New Service Principals executing queries may indicate the creation of adversary accounts to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential unauthorized access or data compromise early.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
LAQueryLogs
| where TimeGenerated between (ago(lookback)..starttime)
| where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
| distinct AADClientId
| join kind=rightanti(
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
)
on AADClientId
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
id: 98e4df23-7bd2-480d-814a-a03f77efc670
name: New ServicePrincipal running queries
description: |
'This hunting query looks for new Service Principals running queries that have not previously been seen running queries.'
requiredDataConnectors:
- connectorId: AzureMonitor(Query Audit)
dataTypes:
- LAQueryLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1213
- T1020
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
LAQueryLogs
| where TimeGenerated between (ago(lookback)..starttime)
| where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
| distinct AADClientId
| join kind=rightanti(
LAQueryLogs
| where TimeGenerated between(starttime..endtime)
| where ResponseCode == 200 and RequestClientApp != "AppAnalytics" and AADEmail !contains "@"
)
on AADClientId
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Microsoft
categories:
domains: [ "Security - Threat Protection" ]Scenario: A system administrator is creating a new Service Principal to manage a database backup tool (e.g., sqlbackup.exe) using Azure Active Directory.
Filter/Exclusion: Exclude Service Principals associated with known backup tools or administrative tasks (e.g., backup, restore, sqlbackup).
Scenario: A scheduled job runs a PowerShell script to generate reports using a new Service Principal (e.g., reporting-service-principal).
Filter/Exclusion: Exclude Service Principals used for reporting or scheduled tasks (e.g., reporting, scheduler, PowerShell).
Scenario: An IT team deploys a new monitoring tool (e.g., Datadog, New Relic) that requires a Service Principal to run queries against Azure resources.
Filter/Exclusion: Exclude Service Principals associated with monitoring or observability tools (e.g., datadog, newrelic, monitoring).
Scenario: A developer provisions a Service Principal for local development purposes to test a new application that interacts with Azure APIs.
Filter/Exclusion: Exclude Service Principals created within a specific development environment or project (e.g., dev-, test-, local-).
Scenario: A security tool (e.g., Microsoft Defender for Cloud, Azure Sentinel) is configured to run queries using a new Service Principal for threat detection.
Filter/Exclusion: Exclude Service Principals used by security tools or SIEM platforms (e.g., defender, sentinel, security).