Azure Service Principal Removed
Identifies when a service principal was removed in Azure.
Sigma rule (View on GitHub)
1title: Azure Service Principal Removed
2id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
3status: test
4description: Identifies when a service principal was removed in Azure.
5references:
6 - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
7 - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/keeping-track-of-object-deletions-in-microsoft-entra-id/4053415
8author: Austin Songer @austinsonger
9date: 2021-09-03
10modified: 2026-04-30
11tags:
12 - attack.stealth
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 operationName: 'Remove service principal'
19 condition: selection
20falsepositives:
21 - Service principal being removed may be performed by a system administrator.
22 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
23 - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24level: medium
References
Related rules
- Azure Owner Removed From Application or Service Principal
- Azure Service Principal Created
- User Added to an Administrator's Azure AD Role
- Potential WinAPI Calls Via PowerShell Scripts
- Legitimate Application Dropped Executable