What Changed
New hunting query ServicePrincipalCredentialAdditionByRareActor.yaml added to Hunting Queries/AuditLogs/ targeting persistence via credential manipulation on service principals and applications.
Detection Logic
The query builds a 90-day baseline of actors who have previously performed credential operations, then identifies new credential additions by previously unobserved actors. It monitors two specific operations:
- Add service principal credentials
- Update application - Certificates and secrets management
The logic correlates AuditLogs from the current window with baseline data (90 days prior to start time) using leftanti join to exclude known actors. Entity mappings include Account (Actor, AccountName, AccountUPNSuffix) and IP address.
MITRE Mapping
- T1098.001 — Account Manipulation: Additional Cloud Credentials
Security Impact
This fills a coverage gap for persistence detection using AuditLogs alone — no Microsoft Defender XDR required. Unlike existing generic rare-audit queries, this specifically targets high-risk credential operations that could enable backdoor access. It provides a focused alternative to broad dormant service principal queries by emphasizing the actor baseline approach. Analysts must validate results as benign matches include newly onboarded administrators, first-time IaC pipelines, and certificate rotation by different operators.
Affected Files
Hunting Queries/AuditLogs/ServicePrincipalCredentialAdditionByRareActor.yaml