An Azure service principal is an identity that has access to an application, such as Active Directory. You might need to look for new Active Directory credentials granted to an existing service principal when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Your company uses SolarWinds Orion business software, which suffered the Sunburst Backdoor attack. You want to identify any lateral movement associated with attack by seeing if new Active Directory credentials have been granted to an existing service principal.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="azure:aad:audit" activityDisplayName="Add service principal credentials"
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Azure Active Directory audit data.
activityDisplayName="Add service principal credentials"
Search for the "add service principal credentials" action.
After identifying new credentials added to existing service principals, you might also want to search for newly added service principals. Additionally, the Microsoft Azure Add-on for Splunk has searches and pre-built security content for Azure data that can help you interpret these results and take additional steps to resolve security concerns related to newly added Active Directory credentials.