Description

Service principal can create/update compute instances. If a service principal started executing multiple API calls which try to create/update instances unlike before it may indicate a presence of an unauthorized actor in the cloud environment since this kind of activity is seen mostly when attackers conduct reconnaissance actions in order to map the internal environment and spread inside the environment. It was detected that service principal {AzureServicePrincipal} created more instances than before, which might be suspicious.