Azure Service Principal Authentication from Multiple Countries

Last updated 8 days ago on 2026-03-10

Created 8 days ago on 2026-03-10

About

Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization's expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: esql

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples

Service principals used by globally distributed CI/CD systems (e.g., GitHub Actions runners in multiple regions) may legitimately authenticate from different countries. Baseline the expected geographic distribution for each service principal. VPN or proxy usage by administrators managing service principals from different locations may produce multi-country sign-in patterns. Correlate with the administrator's known travel or access patterns.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗FROM logs-azure.signinlogs-* metadata _id, _index
| WHERE event.dataset == "azure.signinlogs"
    AND azure.signinlogs.category == "ServicePrincipalSignInLogs"
    AND azure.signinlogs.properties.status.error_code == 0
    AND source.geo.country_iso_code IS NOT NULL
    AND azure.signinlogs.properties.service_principal_id IS NOT NULL
    AND NOT azure.signinlogs.properties.app_owner_tenant_id IN (
        "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
        "72f988bf-86f1-41af-91ab-2d7cd011db47"
    )

| EVAL
    Esql.source_ip_string = TO_STRING(source.ip),
    Esql.source_ip_country_pair = CONCAT(Esql.source_ip_string, " - ", source.geo.country_name)

| STATS
    Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),
    Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
    Esql.source_geo_city_name_values = VALUES(source.geo.city_name),
    Esql.source_ip_values = VALUES(source.ip),
    Esql.source_ip_country_pair_values = VALUES(Esql.source_ip_country_pair),
    Esql.source_network_org_name_values = VALUES(`source.as.organization.name`),
    Esql.resource_display_name_values = VALUES(azure.signinlogs.properties.resource_display_name),
    Esql.app_id_values = VALUES(azure.signinlogs.properties.app_id),
    Esql.app_owner_tenant_id_values = VALUES(azure.signinlogs.properties.app_owner_tenant_id),
    Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
    Esql.source_geo_city_name_count_distinct = COUNT_DISTINCT(source.geo.city_name),
    Esql.source_network_org_name_count_distinct = COUNT_DISTINCT(`source.as.organization.name`),
    Esql.timestamp_first_seen = MIN(@timestamp),
    Esql.timestamp_last_seen = MAX(@timestamp),
    Esql.event_count = COUNT(*)
    BY azure.signinlogs.properties.service_principal_id, azure.signinlogs.properties.app_display_name

| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2
| KEEP *

Install detection rules in Elastic Security

Detect Azure Service Principal Authentication from Multiple Countries in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).