Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies service principals that received an app role assignment or admin consent within one hour of being registered in the tenant. Register-then-consent is a documented persistence pattern after privileged account compromise.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | dc9c0f2a-68f4-4415-aa7e-81d87149c222 |
| Tactics | Persistence, PrivilegeEscalation |
| Techniques | T1528, T1098.003 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/NewServicePrincipalGrantedAdminConsent.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊