Home
Blog
Investigations
December 23, 2025
4
min read

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.

investigations
Microsoft EntraID
Security Operations
Kiki Preteau
Cyber security researcher
In this article
H2 Title
H3 Title

Introduction

Service principal attacks are becoming more common and devastating. Two recent attacks included:  

Midnight Blizzard Penetrates Microsoft Corporate environment

  • January 2024
  • By Russian state-sponsored group behind the SolarWinds attack
  • Initial access via legacy test OAuth application in  
  • non-production tenant without MFA.  
  • NOT a zero-day or sophisticated malware.
  • Leveraged full_access_as_app permission
  • Read executive team emails
  • Incursion lasted for months

Storm-0501 Compromises US Gov and Critical Infrastructure

  • September 2024
  • Ransomware group
  • Vulnerability in service principals with Global Admin roles with MFA
  • Reset on-prem passwords
  • Misused Entra Connect Sync to penetrate cloud tenant
  • Leveraged User Access Admin across all Azure subscriptions
  • Deployed Ransomware

In January 2024, Midnight Blizzard—the Russian state-sponsored group behind the SolarWinds attack—compromised Microsoft's corporate environment. The initial access wasn't a zero-day or sophisticated malware. It was a legacy test OAuth application that hadn't been used in years, sitting in a non-production tenant without MFA. The attackers found it, compromised it, and used its full_access_as_app permission to read executive emails for months.

Eight months later, Microsoft reported on Storm-0501, a ransomware group targeting U.S. government and critical infrastructure. Their technique: identify service principals with Global Administrator roles that lacked MFA, reset the on-premises password, and let Entra Connect Sync hand them the keys to the cloud tenant. From there, they elevated to User Access Administrator across all Azure subscriptions and deployed ransomware.

These aren't edge cases. Field Effect observed a surge in application consent attacks in Q1 2024. Sixty percent of cloud threats now target identity and credential abuse. The pattern is consistent: attackers target non-human identities because they persist beyond password resets, often hold elevated permissions, and receive less monitoring than user accounts.

The challenge for defenders has always been visibility. When an attacker compromises a service principal, their first action is reconnaissance—enumerating users, groups, roles, and applications. This discovery phase was invisible from defenders’ point of view. Directory audit logs capture successful writes, not reads. By the time Midnight Blizzard's activity appeared in logs, they had already mapped Microsoft's environment. Now there’s good news for defenders as Microsoft’s Graph API aims to increase visibility into these attacks.  

GraphAPIAuditEvents: Closing the Gap

Microsoft's GraphAPIAuditEvents table in Defender XDR Advanced Hunting is built to change this. Available in preview for P2-licensed customers, it captures all Graph API requests—reads, writes, successes, and failures. Each record includes the source IP, HTTP method, response code, and a token identifier linking activity to specific authentication sessions.

This transforms service principal investigations. Analysts can see enumeration: hundreds of GET requests to /users, /groups, and /directoryRoles that precede an attack. They can see probing: 403 responses revealing what an application attempted but couldn't access. They can trace a token from authentication through every API call it made.

New Investigation Content for Service Principals

Command Zero has released our first investigation content leveraging GraphAPIAuditEvents. This includes questions for analyzing Graph API activity by application, by source IP, and by authorization token—with automatic correlation across the identifiers that make manual investigation tedious.

We've also built automated investigation facets for two attack patterns that appear repeatedly in incident reports: service principal ownership abuse (the privilege escalation technique Semperis documented in 2024) and OAuth consent grant abuse (the technique Midnight Blizzard used against Microsoft).

Walkthrough: Investigating Ownership Abuse

Starting point: Defender XDR alert "Unusual addition of credentials to an OAuth app"

Consider a Defender XDR alert: "Unusual addition of credentials to an OAuth app." The analyst needs to determine whether this was legitimate or the opening move of a privilege escalation attack.

Step 1: Identify application and owners

The investigation identifies the application and enumerates its owners—in Entra ID, owners can add credentials without additional permissions. Directory role memberships reveal the blast radius: if the service principal holds Privileged Authentication Administrator, an attacker could reset any password, including Global Administrators.

Step 2: Assess blast radius
Step 3: Graph API activity analysis

The Graph API activity summary shows what the application has done. Results aggregate by source IP with 30-day baseline comparison. If the application typically operates from known cloud infrastructure but suddenly appears from a residential ISP in an unexpected country, that’s a meaningful signal. HTTP methods and response codes indicate whether it was reading, modifying, or probing permission boundaries.

Service principal sign-in logs provide authentication context, with token identifiers that correlate to specific API activity. Defender for Cloud Apps shows directory actions performed. The investigation checks whether identified owners added credentials, confirming the abuse mechanism.

Step 4: Authentication context
Step 5: Directory actions performed

Reviewing The Complete Attack Chain

Before GraphAPIAuditEvents, an ownership abuse investigation had gaps: alert fires for credential addition, then nothing, then audit logs show a Global Administrator password was reset.

Step 5: Directory actions performed

With GraphAPIAuditEvents, the full sequence surfaces: credential added, service principal authenticates from unfamiliar IP, 800+ GET requests enumerate users and roles over 12 minutes, POST creates a Temporary Access Pass for a Global Administrator, audit log confirms the reset. The reconnaissance that Midnight Blizzard conducted invisibly for months would now be visible within the investigation window.

Step 6: Confirm credential addition by owner

Increasing Visibility Within Expanding Attack Surface

Storm-0501 found a service principal with Global Admin. Midnight Blizzard found a forgotten OAuth app with Exchange access. Both attacks succeeded because non-human identities weren't receiving the same scrutiny as user accounts.

Organizations deploy more applications and integrations every year. GraphAPIAuditEvents closes the visibility gap for investigating them. Command Zero automates the correlation across data sources that previously required hours of manual work.

Service principal attacks aren't theoretical—they're in the threat reports. The APIs to investigate them are now available.  

Book a demo today to see how Command Zero can help make the most of Graph API in your environment to tackle service principal attacks.  

Kiki Preteau
Cyber security researcher

Continue reading

Investigations
Highlight

Beyond the APT Chase: Why You May Be Hunting the Wrong Things (And How to Fix It)

There is a critical visibility gap where operational anomalies go unnoticed because teams cannot distinguish signal from noise. The piece positions Command Zero’s "Business Context" and "Table Filters" as the essential solution, enabling the encoding of institutional knowledge directly into investigations. By transforming manual noise reduction into persistent baseline enforcement, the platform facilitates a practical progression to innovative hunting maturity (HMM3).
Eric Hulse
Feb 13, 2026
7
min read
Investigations
Highlight

The "Tierless" SOC: What Happens When Junior Analysts Disappear?

The cybersecurity industry faces a paradox: AI is successfully automating "tier-1" grunt work, but in doing so, it is destroying the foundational apprenticeship that trains senior analysts. Historically, junior analysts built vital pattern recognition by triaging thousands of routine alerts. Without this "manual" phase, a "missing middle" has emerged—juniors are now expected to handle complex investigations without the environmental context or investigative intuition usually gained through repetition. To bridge this gap, SOCs must shift to an "Apprentice-in-the-Loop" model. By using expert-built, executable Questions, Command Zero codifies senior-level methodology into a guided framework. This allows juniors to "sit shotgun" with expert thinking on real cases from day one. Instead of grinding through false positives, the next generation of analysts will develop through structured, AI-augmented exposure, democratizing high-level expertise and accelerating career growth in a tierless environment.
Eric Hulse
Jan 13, 2026
6
min read
Investigations
Highlight

2026 SOC Resolution: Stop Machine Speak. Level up Investigations with Natural Language

SOC analysts waste critical time translating investigations into complex query languages like SPL, KQL, and SQL instead of hunting threats. Natural language investigation platforms eliminate this cognitive burden, enabling analysts at all skill levels to conduct sophisticated investigations by simply asking questions. Pre-built investigative sequences should operationalize expert methodology across common use cases like impossible travel and suspicious activity analysis, standardizing excellence while breaking down data silos across endpoints, identity providers, and cloud environments. Question-based approaches create reinforcement learning feedback loops, continuously improving investigation quality through analyst validation. By removing syntax barriers, junior analysts gain advanced capabilities while senior investigators accelerate case closure. As alert volumes surpass human capacity in 2026, natural language interfaces become essential for SOC scalability. Modern security operations teams should expect tools that close complex cases in minutes through AI-assisted analysis and autonomous investigative flows, fundamentally transforming how they handle evolving threats.
James Therrien
Jan 7, 2026
5
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All