
Summary
This detection rule is designed to identify authentication events of service principals in Azure Active Directory (Azure AD). Leveraging the `azure_monitor_aad` data source, it specifically targets the "Sign-in activity" category within ServicePrincipalSignInLogs. The rule captures crucial details like sign-in frequency, timing, originating IP addresses, and resources accessed by service principals. This monitoring is pivotal for Security Operations Center (SOC) teams as it helps differentiate between regular application authentication and any anomalous patterns that may suggest compromised credentials or malicious intent. A confirmed malicious compromise could allow unauthorized access to resources, potentially leading to significant data breaches or broader exploitation within the environment. The detection implementation requires ingestion of Azure AD events into Splunk and uses specific search queries to consolidate sign-in logs for analysis.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Cloud Service
ATT&CK Techniques
- T1078
- T1078.004
Created: 2024-11-14