KQL Search

Query Details

HomeAI ToolsDevice Query

Service Principal Adds Client Secret To Target Application

Query

id: 79942a71-35af-40a0-9aaf-e79d77517d18
name: Service Principal Adds Client Secret to Target Application
version: 1.0.0
kind: Scheduled
description: |-
  This alert detects when an Azure AD Service Principal (non-human identity) creates or adds a new password credential (Client Secret) to a target Application or Service Principal.

  While automated rotation of credentials by management tools (like Terraform, Vault, or DevOps pipelines) is a legitimate use case, this behavior is also a common persistence and privilege escalation technique. An attacker who has compromised a Service Principal with Application.ReadWrite.All (or similar permissions) may inject a new secret into a highly privileged target application to hijack its identity and access resources.
severity: Medium
queryFrequency: 10m
queryPeriod: 12h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1098.001
query: |-
  AuditLogs
  | where TimeGenerated > ago(20m)
  | where OperationName has_all ("Update application", "Certificates and secrets management")
  | where TargetResources has "KeyType=Password"
  | extend InitiatedByServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
  | extend InitiatedByServicePrincipalDisplayName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
  | where isnotempty(InitiatedByServicePrincipalId)
  | mv-expand TargetResources to typeof(dynamic)
  | extend TargetServicePrincipalName = tostring(TargetResources.displayName)
  | extend TargetServicePrincipalId = tostring(TargetResources.id)
  | extend modifiedProperties = TargetResources.modifiedProperties
  | mv-apply ModifiedProperty = modifiedProperties to typeof(dynamic) on (where ModifiedProperty.displayName == "KeyDescription")
  | extend NewCredentials = todynamic(tostring(ModifiedProperty.newValue))
  | mv-expand NewCredential = NewCredentials to typeof(string)
  | extend NewCredential = trim(@'[\[\]]', NewCredential)
  | parse-kv NewCredential as (KeyIdentifier: string, KeyType: string, KeyUsage: string, KeyDisplayName: string) with (pair_delimiter=',', kv_delimiter='=')
  | project-away NewCredentials, NewCredential, modifiedProperties, ModifiedProperty, KeyUsage
  | project-reorder
      TimeGenerated,
      OperationName,
      InitiatedByServicePrincipalDisplayName,
      InitiatedByServicePrincipalId,
      TargetServicePrincipalName,
      TargetServicePrincipalId,
      KeyType,
      KeyIdentifier
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: InitiatedByServicePrincipalDisplayName
suppressionDuration: 5h

Explanation

This query is designed to detect when a non-human identity, specifically an Azure AD Service Principal, adds a new password credential (also known as a Client Secret) to an application or another Service Principal in Azure Active Directory. This action is monitored because it can be a legitimate operation, such as automated credential rotation by management tools, but it can also indicate a security threat. An attacker could exploit this capability to maintain access or escalate privileges by injecting a new secret into a highly privileged application.

Here's a simplified breakdown of the query:

  • Purpose: To alert when a Service Principal creates or adds a new Client Secret to a target application.
  • Frequency: The query runs every 10 minutes and looks back over the past 12 hours.
  • Severity: The alert is classified as medium severity.
  • Detection Logic:
    • It examines audit logs for operations related to updating applications and managing certificates and secrets.
    • It filters for actions where a password credential is involved.
    • It extracts details about the Service Principal initiating the action and the target application.
    • It identifies and processes the new credentials added.
  • Alert Configuration:
    • An incident is created for each detection.
    • Incidents are grouped if they involve the same entities within a 5-hour window.
  • Entity Mapping: The Service Principal's display name is mapped to an account entity for further analysis.

Overall, this query helps in identifying potentially unauthorized or suspicious credential changes that could compromise application security.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AuditLogs

Keywords

AuditLogs

Operators

ago()has_all()has()tostring()parse_json()isnotempty()mv-expandtypeof()extendmv-applytodynamic()trim()parse-kv()project-awayproject-reorder

Actions