« Entra ID Service Principal Federated Credential Authentication by Unusual Client Entra ID Sharepoint or OneDrive Accessed by Unusual Client »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Entra ID Service Principal with Unusual Source ASN

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Entra ID Service Principal with Unusual Source ASN

edit

Identifies Entra ID service principal sign-ins where the workload identity and source autonomous system number (ASN) together have not appeared in recent history. Attackers who obtain application secrets or tokens often authenticate from unfamiliar hosting providers, residential or VPN egress, or networks outside normal automation footprints, which can precede data access, lateral movement, or ransomware activity in the tenant. The detection emphasizes first-seen network context for non-interactive workload identities.

Rule type: new_terms

Rule indices:

  • filebeat-*
  • logs-azure.signinlogs-*

Severity: medium

Risk score: 47

Runs every: 1h

Searches indices from: now-65m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Identity
  • Data Source: Azure
  • Data Source: Microsoft Entra ID
  • Data Source: Microsoft Entra ID Sign-In Logs
  • Use Case: Identity and Access Audit
  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Resources: Investigation Guide

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Entra ID Service Principal with Unusual Source ASN

This rule matches successful ServicePrincipalSignInLogs events where azure.signinlogs.properties.service_principal_id and source.as.number together have not appeared in the rule history window. It is a first-seen network path signal for the workload identity, not proof of compromise by itself.

Possible investigation steps

  • Confirm the event is ServicePrincipalSignInLogs with a successful outcome and review azure.signinlogs.properties.status.error_code on the source document if needed.
  • Identify the application using azure.signinlogs.properties.app_display_name, azure.signinlogs.properties.app_id, and azure.signinlogs.properties.service_principal_id. In Entra ID, review the enterprise application or app registration (first-party, partner, or internal automation).
  • Review source.ip, source.as.organization.name, source.as.number, and source.geo.* against the owning team’s expected regions, cloud subscriptions, and CI/CD or automation footprint.
  • Compare @timestamp to maintenance windows, releases, and planned infrastructure changes.
  • Where possible, enrich source.ip with internal CMDB, cloud asset inventory, or threat intelligence (residential or low-reputation ASNs warrant more scrutiny than a known cloud provider already used by this app).
  • In Entra sign-in logs, pivot on the same service_principal_id or app_id and review prior successful sign-ins for typical ASNs and egress patterns; a one-off path may be a new pipeline or stolen credentials used from a new host.
  • Review Entra audit logs for recent changes to this application: client secrets, certificates, federated credentials, owners, API permissions, or app role assignments, especially shortly before the alert.
  • Query Azure Activity, Microsoft Graph, or workload-specific logs after the sign-in time using azure.signinlogs.properties.correlation_id or session_id when present to see what resources the identity accessed (subscriptions, Key Vault, mail, privileged roles).
  • Search for related alerts in the same time window involving the same app_id or source.ip (for example OAuth abuse, consent, Arc or Kubernetes access, or directory role changes).
  • Note that the rule query excludes Microsoft-labeled source.as.organization.name values; high-value investigations should also review raw sign-in data for suspicious activity that only appears under those labels.

False positive analysis

  • New regions, subscriptions, GitHub Actions or Azure DevOps pools, DR exercises, or vendor migrations can produce a legitimate first-seen ASN for the service principal. Validate with the owner and document expected paths before excluding.
  • Amazon- and Google-labeled ASNs are in scope by design; adversaries may egress through AWS or GCP. Expect more noise from legitimate automation in those clouds and prefer allowlisting reviewed app_id or automation accounts over disabling the rule.
  • GeoIP or ASN enrichment updates can occasionally produce a one-time new tuple; compare to historical events for the same IP if available.

Response and remediation

  • If the path is unexpected and risky audit activity preceded the sign-in, treat as a potential credential incident: rotate application secrets and certificates, revoke sessions or tokens as applicable, and review Conditional Access and workload identity policies for the application.
  • Review and reduce API permissions, OAuth scopes, and directory or subscription roles granted to the application; remove unused access.
  • Document approved automation and network baselines so repeat first-seen ASN alerts can be triaged faster.

Rule query

edit
event.dataset:azure.signinlogs
    and azure.signinlogs.category:ServicePrincipalSignInLogs
    and azure.signinlogs.properties.status.error_code:0
    and azure.signinlogs.properties.service_principal_id:*
    and source.as.number:*
    and not source.as.organization.name:(*MICROSOFT* or *Microsoft*)
    and not azure.signinlogs.properties.app_owner_tenant_id:(72f988bf-86f1-41af-91ab-2d7cd011db47 or f8cdef31-a31e-4b4a-93e4-5f571e91255a)

Framework: MITRE ATT&CKTM

« Entra ID Service Principal Federated Credential Authentication by Unusual Client Entra ID Sharepoint or OneDrive Accessed by Unusual Client »