What Changed
Three new hunting queries targeting Entra ID attack chain correlation patterns where the security signal emerges from sequencing two events rather than individual events.
Detection Logic
FreshRoleGrantedActorSpCredentialAdded: Joins AuditLogs to correlate privileged role grants (Application Administrator, Cloud Application Administrator, Global Administrator, Privileged Role Administrator) with service principal credential additions within 24 hours by the same user.
ServicePrincipalFederatedIdentityCredentialAdded: Detects federated identity credential additions to service principals via “Update service principal” operations where modifiedProperties contains “FederatedIdentityCredentials”—enables external OIDC workloads to authenticate without secrets.
MFADisabledThenSignInFromUnseenIP: Cross-source join between AuditLogs and SigninLogs flagging successful sign-ins from IPs not seen in prior 30 days occurring within 60 minutes of MFA being disabled for the same account.
MITRE Mapping
- T1098.001 (Additional Cloud Credentials): Service principal credential and federated identity credential additions
- T1556.006 (Modify Authentication Process: Multi-Factor Authentication): MFA disabling operations
- T1078.004 (Valid Accounts: Cloud Accounts): Post-compromise account usage from new locations
Affected Files
Hunting Queries/AuditLogs/FreshRoleGrantedActorSpCredentialAdded.yaml
Hunting Queries/AuditLogs/ServicePrincipalFederatedIdentityCredentialAdded.yaml
Hunting Queries/MultipleDataSources/MFADisabledThenSignInFromUnseenIP.yaml