Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
The query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applications and used the application permissions to extract users' mails. See How to: Use the portal to create an Microsoft Entra ID application and service principal that can access resources. Reference - https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 63a191f4-a0ad-4ed7-b994-24ffc89b3596 |
| Tactics | Privilege escalation |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CloudAppEvents |
ActionType in "Add service principal credentials.,Update application - Certificatessecrets management" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊