Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Hunting query that looks for credential additions or updates on service principals and applications performed by actors (users or apps) that have not been observed initiating the same operations in the previous 90 days. Covered operations are "Add service principal credentials" and "Update application - Certificates and secrets management", which correspond to adding passwordCredentials or keyCredentials to an existing registration. A rarely observed actor performing these operations can indicat
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 138381e3-95d5-4d21-ab0b-13f941b82acc |
| Tactics | Persistence |
| Techniques | T1098.001 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/ServicePrincipalCredentialAdditionByRareActor.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊