Entra ID Service Principal Sign-in from Unusual Source ASN
Detects Entra ID service principal sign-ins from a source ASN that is unusual based on a history window, potentially indicating compromised credentials or a rogue application.
This detection identifies potentially malicious activity within Microsoft Entra ID (formerly Azure AD) by monitoring service principal sign-ins. Specifically, it flags instances where a service principal authenticates from an autonomous system number (ASN) that is not typically associated with that principal within a defined history window (10 days). Attackers compromising service principal credentials or application secrets may attempt to authenticate from unfamiliar networks, such as hosting providers, VPNs, or residential IPs, to gain initial access, move laterally, or deploy ransomware within the tenant. The rule focuses on identifying new network paths for non-interactive workload identities, improving the chances of catching malicious activity early in the attack chain. This detection is based on the Elastic detection rule released on 2026/04/06.
Attack Chain
- The attacker gains unauthorized access to service principal credentials or application secrets.
- The attacker uses the compromised credentials to attempt authentication to Entra ID.
- The authentication request originates from an unusual ASN not previously associated with the service principal.
- Entra ID processes the authentication request and, if successful based on existing policies, grants access.
- The service principal, now under attacker control, performs actions based on its assigned permissions. This could include accessing sensitive data, modifying configurations, or escalating privileges.
- The attacker leverages the compromised service principal to move laterally within the cloud environment, accessing other resources or identities.
- The attacker may exfiltrate sensitive data or deploy malicious applications or scripts.
- The attacker may deploy ransomware targeting cloud resources.
Impact
A successful attack leveraging compromised service principal credentials can result in significant damage, including data breaches, service disruptions, and financial losses. The potential impact extends to any resources accessible by the compromised service principal, potentially affecting critical business applications and data. If undetected, this activity can lead to full tenant compromise and significant remediation costs. Lateral movement and privilege escalation can further amplify the impact, affecting more resources and data within the environment.
Recommendation
- Deploy the Sigma rule
Entra ID Service Principal Sign-in from Unusual ASNto your SIEM, ensuring it is tuned to exclude known benign ASNs for your service principals. - Review sign-in logs for successful authentications by service principals originating from unfamiliar ASNs as per the investigation guide provided in the rule description.
- Implement conditional access policies to restrict service principal sign-ins to specific networks or locations.
- Rotate application secrets and certificates for any service principal triggering the
Entra ID Service Principal Sign-in from Unusual ASNdetection. - Monitor Entra ID audit logs for changes to application permissions, client secrets, or ownership, especially before a suspicious sign-in, as described in the rule's triage steps.
- Enrich
source.ipaddresses from alerts with threat intelligence data to identify residential or low-reputation ASNs, warranting increased scrutiny.
Detection coverage 2
Entra ID Service Principal Sign-in from Unusual ASN
mediumDetects Entra ID service principal sign-ins from a previously unseen ASN.
Entra ID Service Principal Sign-in Success
infoDetects successful Entra ID service principal sign-ins
Detection queries are available on the platform. Get full rules →