Azure Service Principal Created
Identifies when a service principal is created in Azure.
Sigma rule (View on GitHub)
1title: Azure Service Principal Created
2id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
3status: test
4description: Identifies when a service principal is created in Azure.
5references:
6 - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
7 - https://analyticsrules.exchange/analyticrules/79566f41-df67-4e10-a703-c38a6213afd8/
8author: Austin Songer @austinsonger
9date: 2021-09-02
10modified: 2026-04-30
11tags:
12 - attack.stealth
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 operationName: 'Add service principal'
19 condition: selection
20falsepositives:
21 - Service principal being created may be performed by a system administrator.
22 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
23 - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24level: medium
References
Related rules
- Azure Owner Removed From Application or Service Principal
- Azure Service Principal Removed
- User Added to an Administrator's Azure AD Role
- Potential WinAPI Calls Via PowerShell Scripts
- Legitimate Application Dropped Executable