Service principal credential added by user granted privileged role in last 24 hours

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

Identifies service principal credential additions by users who received Application Administrator or Global Administrator roles within the preceding 24 hours, consistent with immediate post-compromise privilege abuse.

Attribute Value
Type Hunting Query
Solution Standalone Content
ID 661d71d1-98a4-464f-bb6b-fc3c39499b3f
Tactics Persistence
Techniques T1098.001
Required Connectors AzureActiveDirectory
Source [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/FreshRoleGrantedActorSpCredentialAdded.yaml)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Hunting Queries