Home
Blog
Investigations
December 23, 2025
4
min read

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.

investigations
Microsoft EntraID
Security Operations
Kiki Preteau
Cyber security researcher
In this article
H2 Title
H3 Title

Introduction

Service principal attacks are becoming more common and devastating. Two recent attacks included:  

Midnight Blizzard Penetrates Microsoft Corporate environment

  • January 2024
  • By Russian state-sponsored group behind the SolarWinds attack
  • Initial access via legacy test OAuth application in  
  • non-production tenant without MFA.  
  • NOT a zero-day or sophisticated malware.
  • Leveraged full_access_as_app permission
  • Read executive team emails
  • Incursion lasted for months

Storm-0501 Compromises US Gov and Critical Infrastructure

  • September 2024
  • Ransomware group
  • Vulnerability in service principals with Global Admin roles with MFA
  • Reset on-prem passwords
  • Misused Entra Connect Sync to penetrate cloud tenant
  • Leveraged User Access Admin across all Azure subscriptions
  • Deployed Ransomware

In January 2024, Midnight Blizzard—the Russian state-sponsored group behind the SolarWinds attack—compromised Microsoft's corporate environment. The initial access wasn't a zero-day or sophisticated malware. It was a legacy test OAuth application that hadn't been used in years, sitting in a non-production tenant without MFA. The attackers found it, compromised it, and used its full_access_as_app permission to read executive emails for months.

Eight months later, Microsoft reported on Storm-0501, a ransomware group targeting U.S. government and critical infrastructure. Their technique: identify service principals with Global Administrator roles that lacked MFA, reset the on-premises password, and let Entra Connect Sync hand them the keys to the cloud tenant. From there, they elevated to User Access Administrator across all Azure subscriptions and deployed ransomware.

These aren't edge cases. Field Effect observed a surge in application consent attacks in Q1 2024. Sixty percent of cloud threats now target identity and credential abuse. The pattern is consistent: attackers target non-human identities because they persist beyond password resets, often hold elevated permissions, and receive less monitoring than user accounts.

The challenge for defenders has always been visibility. When an attacker compromises a service principal, their first action is reconnaissance—enumerating users, groups, roles, and applications. This discovery phase was invisible from defenders’ point of view. Directory audit logs capture successful writes, not reads. By the time Midnight Blizzard's activity appeared in logs, they had already mapped Microsoft's environment. Now there’s good news for defenders as Microsoft’s Graph API aims to increase visibility into these attacks.  

GraphAPIAuditEvents: Closing the Gap

Microsoft's GraphAPIAuditEvents table in Defender XDR Advanced Hunting is built to change this. Available in preview for P2-licensed customers, it captures all Graph API requests—reads, writes, successes, and failures. Each record includes the source IP, HTTP method, response code, and a token identifier linking activity to specific authentication sessions.

This transforms service principal investigations. Analysts can see enumeration: hundreds of GET requests to /users, /groups, and /directoryRoles that precede an attack. They can see probing: 403 responses revealing what an application attempted but couldn't access. They can trace a token from authentication through every API call it made.

New Investigation Content for Service Principals

Command Zero has released our first investigation content leveraging GraphAPIAuditEvents. This includes questions for analyzing Graph API activity by application, by source IP, and by authorization token—with automatic correlation across the identifiers that make manual investigation tedious.

We've also built automated investigation facets for two attack patterns that appear repeatedly in incident reports: service principal ownership abuse (the privilege escalation technique Semperis documented in 2024) and OAuth consent grant abuse (the technique Midnight Blizzard used against Microsoft).

Walkthrough: Investigating Ownership Abuse

Starting point: Defender XDR alert "Unusual addition of credentials to an OAuth app"

Consider a Defender XDR alert: "Unusual addition of credentials to an OAuth app." The analyst needs to determine whether this was legitimate or the opening move of a privilege escalation attack.

Step 1: Identify application and owners

The investigation identifies the application and enumerates its owners—in Entra ID, owners can add credentials without additional permissions. Directory role memberships reveal the blast radius: if the service principal holds Privileged Authentication Administrator, an attacker could reset any password, including Global Administrators.

Step 2: Assess blast radius
Step 3: Graph API activity analysis

The Graph API activity summary shows what the application has done. Results aggregate by source IP with 30-day baseline comparison. If the application typically operates from known cloud infrastructure but suddenly appears from a residential ISP in an unexpected country, that’s a meaningful signal. HTTP methods and response codes indicate whether it was reading, modifying, or probing permission boundaries.

Service principal sign-in logs provide authentication context, with token identifiers that correlate to specific API activity. Defender for Cloud Apps shows directory actions performed. The investigation checks whether identified owners added credentials, confirming the abuse mechanism.

Step 4: Authentication context
Step 5: Directory actions performed

Reviewing The Complete Attack Chain

Before GraphAPIAuditEvents, an ownership abuse investigation had gaps: alert fires for credential addition, then nothing, then audit logs show a Global Administrator password was reset.

Step 5: Directory actions performed

With GraphAPIAuditEvents, the full sequence surfaces: credential added, service principal authenticates from unfamiliar IP, 800+ GET requests enumerate users and roles over 12 minutes, POST creates a Temporary Access Pass for a Global Administrator, audit log confirms the reset. The reconnaissance that Midnight Blizzard conducted invisibly for months would now be visible within the investigation window.

Step 6: Confirm credential addition by owner

Increasing Visibility Within Expanding Attack Surface

Storm-0501 found a service principal with Global Admin. Midnight Blizzard found a forgotten OAuth app with Exchange access. Both attacks succeeded because non-human identities weren't receiving the same scrutiny as user accounts.

Organizations deploy more applications and integrations every year. GraphAPIAuditEvents closes the visibility gap for investigating them. Command Zero automates the correlation across data sources that previously required hours of manual work.

Service principal attacks aren't theoretical—they're in the threat reports. The APIs to investigate them are now available.  

Book a demo today to see how Command Zero can help make the most of Graph API in your environment to tackle service principal attacks.  

Kiki Preteau
Cyber security researcher

Continue reading

Investigations
Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.
Eric Hulse
Dec 3, 2025
6
min read
Investigations
Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.
Eric Hulse
Nov 18, 2025
7
min read
Investigations
Highlight

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.
Alfred Huger
Jun 11, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All