Identifies when new service principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.
Rule type: query
Risk score: 47
Runs every: 10m
Maximum alerts per execution: 100
- Continuous Monitoring
- Identity and Access
- Austin Songer
Rule license: Elastic License v2
## Config The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success)
Framework: MITRE ATT&CKTM