Entra ID Service Principal with Unusual Source ASN

Last updated 22 days ago on 2026-04-10

Created 2 months ago on 2026-03-10

About

Identifies Entra ID service principal sign-ins where the workload identity and source autonomous system number (ASN) together have not appeared in recent history. Attackers who obtain application secrets or tokens often authenticate from unfamiliar hosting providers, residential or VPN egress, or networks outside normal automation footprints, which can precede data access, lateral movement, or ransomware activity in the tenant. The detection emphasizes first-seen network context for non-interactive workload identities.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples

New deployments, DR sites, IP rotation, or first-time CI/CD expansion can produce a genuinely new (service principal, ASN) pair without malicious intent. Baseline expected apps and approve new network paths. Geo-IP and ASN enrichment updates can occasionally shift how a stable egress is labeled, creating a one-time "new" tuple. Shared or reused service principal secrets across teams may register as new paths when first used from another site.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.signinlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:azure.signinlogs
    and azure.signinlogs.category:ServicePrincipalSignInLogs
    and azure.signinlogs.properties.status.error_code:0
    and azure.signinlogs.properties.service_principal_id:*
    and source.as.number:*
    and not source.as.organization.name:(*MICROSOFT* or *Microsoft*)
    and not azure.signinlogs.properties.app_owner_tenant_id:(72f988bf-86f1-41af-91ab-2d7cd011db47 or f8cdef31-a31e-4b4a-93e4-5f571e91255a)

Install detection rules in Elastic Security

Detect Entra ID Service Principal with Unusual Source ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).