Unusual Authentication by Microsoft 365 Azure AD Service Principal

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Strategy

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Triage and response

  1. Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
  2. If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
    • If necessary, initiate your company’s incident response (IR) process.