---
title: Azure New Service Principal created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Azure New Service Principal created
---

# Azure New Service Principal created
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a new service principal is created in Azure, which applies to a persistence mechanism.

## Strategy{% #strategy %}

Monitor Azure Active Directory logs where `@evt.name` is `"Add service principal"` and `@evt.outcome` of `Success`.

## Triage and response{% #triage-and-response %}

1. Inspect the new service principal in `@properties.targetResources`.
1. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate.