Azure AD Service Principal Authentication
Description
Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-02-12
- Author: Mauricio Velazco, Splunk
- ID: 5a2ec401-60bb-474e-b936-1e66e7aa4060
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs
| rename properties.* as *
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_authentication_filter`
Macros
The SPL above uses the following Macros:
azure_ad_service_principal_authentication_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- operationName
- category
- properties.resourceDisplayName
- properties.resourceId
- user
- src_ip
- user_id
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
Known False Positives
Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | Service Principal $user$ authenticated from $src_ip$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1078/004/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1