What’s going on inside the box? Is the Service Principal monitoring is part of your security monitoring? If we rely on many security incidents, the Service Principle must be monitored. The following post will guide how to Monitor Service Principal with Microsoft Sentinel.

There are a few ways to monitor Service Principal access and changes. This post will provide helpful information about the service principal and how to monitor with Microsoft Sentinel.

In general, we can distinguish between three types of AAD-integrated applications:

• Authored by Microsoft
• Authored by 3rd parties
• Written by users in our organization

Application registration is an application that must be registered with an Azure AD tenant. When you register your application with Azure AD, you create an identity configuration to integrate with Azure AD.

The application was registered as an Azure AD application is defined by its only application object, which resides in the Azure AD tenant. An application object is used as a template or blueprint to create one or more service principal objects.

A service principal is created in every tenant where the application is used. Like a class in object-oriented programming, the application object has static properties applied to all the developed service principles.

The application object describes three aspects of an application: how the Service can issue tokens to access the application, resources that the application might need to access, and the application’s actions.

The App registrations blade in the Azure portal is used to list and manage the application objects in your home tenant.

A service principal is a local representation, or application instance, of a global application object in a single tenant or directory. A service principal is a concrete instance created from the application object and inherits specific properties from that object.

A service principal is created in each tenant where the application is used and references the globally unique app object. The principal service object defines what the app can do in the specific tenant, access the app, and resources.

When an application is permitted to access resources in a tenant, a principal service object is created. A service principal is created automatically when you register an application when using the portal. You can also create principal service objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, the Azure portal, and other tools.

The portal’s Enterprise applications blade is used to list and manage the service principles in a tenant.

The Real World

Now. Go to your #AzureAD portal and take a look at your applications. How many applications do you have there? In a utopian world, you maintain an inventory of all these applications with an asset management database to know who the application is, what it is used for, and what API permissions are granted.

If you look at the Azure AD Sign-ins logs, you should view a report with Service principal sign-ins with all access and information such as time, status, IP address, etc.

The Enterprise applications blade is used to list and manage the service principles in a tenant. You can see the service principal’s permissions, user consented permissions, which users have done that consent, sign-in information, etc.

Most organizations are using non-interactive sign-ins, and there are some missing security controls for managed identities or service principles compared to user accounts because:

• No restriction of access by conditions
• Limited options of alternate authentication methods
• Every Service or scenario doesn’t support managed Identities in Azure.
• No sign-in log events to audit the authentication requests.

What changes? Recently Microsoft has allowed you to work with the AADServicePrincipalSignInLogs. You can enable and configure Azure Active Directory Logs for a service principal and work with log management.

Microsoft Sentinel

Now that we know we’ve all the capabilities for service principals logs, we can monitor, track and detect suspicious activities and many other #MicrosoftSentinel actions.

Configure Azure AD

On Azure AD diagnostic settings, we need to enable and configure the collection of the following data:

• NonInteractiveUserSignInLogs
• ServicePrincipalSignInLogs
• ManagedIdentitySignInLogs

Once the diagnostic logs are configured, we can check how it looks on the Microsoft Sentinel data schema. The new Data schema of the new sign-in logs

Even if there is no further documentation, the new sign-in logs’ data schema has already been documented in the Azure Monitor Logs reference.

• NonInteracticeUserSignInLogs > AADNonInteractiveUserSignInLogs
• ServicePrincipalSignInLogs > AADServicePrincipalSignInLogs
• ManagedIdentitySignInLogs > AADManagedIdentitySignInLogs

TIP: The name of the collection in the diagnostic settings and the table’s name are not equal.

Then we can run a quick and simple query to know what we’ve inside the AADManagedIdentitySignInLogs. From Microsoft Sentinel, run the following query.

Additional Resources

• Microsoft Sentinel posts and articles
• Microsoft Sentinel 4 SecOps – All the relevant queries 
• Do you’ve any questions about Microsoft Security or any other security topic? Join the BlackBelt on the Telegram