Azure Service Principal Additionedit

Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Investigation guideedit

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
service principal" and event.outcome:(success or Success)

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (7.11.2 release)
  • Formatting only