Skip to content

AZT502.2 - Account Creation: Service Principal Creation#

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/applications/create

Examples

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Add service principal microsoft.directory/servicePrincipals/create AuditLogs
Azure Active Directory Add application microsoft.directory/applications/create AuditLogs
Azure Active Directory Add owner to application microsoft.directory/servicePrincipals/owners/update AuditLogs

Queries#

Platform Query
Log Analytics AuditLogs | where OperationName == 'Add service principal'

Azure Monitor Alert#

Deploy to Azure