Unusual Authentication by Microsoft 365 Azure AD Service Principal

Classification:

attack

Tactic:

Technique:

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
- Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
- If necessary, initiate your company’s incident response (IR) process.