cloud security

Detecting Azure Service Principal Abuse

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

azurecredential-abusedetectionentra-idprivilege-escalationsentinelservice-principalsplunk
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Azure service principals are identity objects used by applications, services, and automation tools to access Azure resources. Attackers exploit service principals for privilege escalation, lateral movement, and persistent access. Key abuse patterns include: adding credentials to existing principals, assigning privileged roles, bypassing admin consent, and enumerating service principals for attack paths. Application ownership grants the ability to manage credentials and configure permissions, creating hidden privilege escalation paths.

When to Use

  • When investigating security incidents that require detecting azure service principal abuse
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Azure subscription with Microsoft Entra ID P2 license
  • Access to Azure AD Audit Logs and Sign-in Logs
  • Microsoft Sentinel or Splunk for SIEM-based detection
  • Microsoft Graph API permissions for investigation
  • Global Reader or Security Reader role minimum

Key Abuse Patterns

1. New Credentials Added to Service Principal

Attackers add new client secrets or certificates to gain persistent access:

Detection Query (KQL - Sentinel):

AuditLogs
| where OperationName has "Add service principal credentials"
    or OperationName has "Update application - Certificates and secrets management"
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend TargetSPId = tostring(TargetResources[0].id)
| project TimeGenerated, InitiatedBy, OperationName, TargetSP, TargetSPId
| sort by TimeGenerated desc

Detection Query (SPL - Splunk):

index=azure sourcetype="azure:aad:audit"
operationName="Add service principal credentials"
    OR operationName="Update application*Certificates and secrets*"
| stats count by initiatedBy.user.userPrincipalName, targetResources{}.displayName, _time
| sort -_time

2. Privileged Role Assignment to Service Principal

AuditLogs
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where RoleName has_any ("Global Administrator", "Application Administrator",
    "Privileged Role Administrator", "Cloud Application Administrator")
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, TargetSP, RoleName, OperationName

3. Service Principal Enumeration Detection

MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where RequestUri has "/servicePrincipals"
| summarize RequestCount = count() by UserAgent, IPAddress, bin(TimeGenerated, 1h)
| where RequestCount > 10
| sort by RequestCount desc

4. Admin Consent Bypass

AuditLogs
| where OperationName == "Consent to application"
| extend ConsentType = tostring(TargetResources[0].modifiedProperties[4].newValue)
| where ConsentType has "AllPrincipals"
| extend AppName = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, AppName, ConsentType

5. OAuth App Permissions Escalation

AuditLogs
| where OperationName == "Add app role assignment to service principal"
| extend AppRoleValue = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where AppRoleValue has_any ("RoleManagement.ReadWrite.Directory",
    "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All",
    "Directory.ReadWrite.All", "Mail.ReadWrite")
| extend TargetApp = tostring(TargetResources[0].displayName)
| project TimeGenerated, TargetApp, AppRoleValue, CorrelationId

Investigation Procedures

Step 1: Identify compromised service principal

# List service principals with recently added credentials
Connect-MgGraph -Scopes "Application.Read.All"
 
$suspiciousSPs = Get-MgServicePrincipal -All | ForEach-Object {
    $sp = $_
    $creds = Get-MgServicePrincipalPasswordCredential -ServicePrincipalId $sp.Id
    $recentCreds = $creds | Where-Object { $_.StartDateTime -gt (Get-Date).AddDays(-7) }
    if ($recentCreds) {
        [PSCustomObject]@{
            DisplayName = $sp.DisplayName
            AppId = $sp.AppId
            ObjectId = $sp.Id
            NewCredsCount = $recentCreds.Count
            LatestCredAdded = ($recentCreds | Sort-Object StartDateTime -Descending | Select-Object -First 1).StartDateTime
        }
    }
}
$suspiciousSPs | Sort-Object LatestCredAdded -Descending

Step 2: Review service principal role assignments

# Check role assignments for a specific service principal
$spId = "<service-principal-object-id>"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId | ForEach-Object {
    $resource = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId
    [PSCustomObject]@{
        AppRoleId = $_.AppRoleId
        ResourceDisplayName = $resource.DisplayName
        CreatedDateTime = $_.CreatedDateTime
    }
}

Step 3: Check application ownership

# List owners of all applications (ownership = credential control)
Get-MgApplication -All | ForEach-Object {
    $app = $_
    $owners = Get-MgApplicationOwner -ApplicationId $app.Id
    foreach ($owner in $owners) {
        [PSCustomObject]@{
            AppName = $app.DisplayName
            AppId = $app.AppId
            OwnerUPN = $owner.AdditionalProperties.userPrincipalName
            OwnerType = $owner.AdditionalProperties.'@odata.type'
        }
    }
} | Where-Object { $_.OwnerUPN -ne $null }

Step 4: Review sign-in activity

AADServicePrincipalSignInLogs
| where ServicePrincipalId == "<target-sp-id>"
| project TimeGenerated, ServicePrincipalName, IPAddress, Location,
    ResourceDisplayName, Status.errorCode
| sort by TimeGenerated desc

Preventive Controls

Restrict application registration

# Disable user ability to register applications
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
    AllowedToCreateApps = $false
}

Configure app consent policies

# Require admin approval for all app consent requests
New-MgPolicyPermissionGrantPolicy -Id "admin-only-consent" `
    -DisplayName "Admin Only Consent" `
    -Description "Only admins can consent to applications"

Monitor with Microsoft Sentinel Analytics Rules

Create analytics rules for:

  • New service principal credential additions
  • Privileged role assignments to service principals
  • Bulk service principal enumeration
  • Admin consent grants to unknown applications
  • Service principal sign-ins from unusual locations

MITRE ATT&CK Mapping

Technique ID Description
Account Manipulation: Additional Cloud Credentials T1098.001 Adding credentials to service principal
Valid Accounts: Cloud Accounts T1078.004 Using compromised service principal
Account Discovery: Cloud Account T1087.004 Enumerating service principals
Steal Application Access Token T1528 OAuth token theft via service principal

References

  • Splunk Detection: Azure AD Service Principal Abuse
  • Semperis: Service Principal Ownership Abuse in Entra ID
  • MITRE ATT&CK Cloud Matrix
  • Microsoft: Securing service principals in Entra ID
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.4 KB

Azure Service Principal Abuse Detection — API Reference

Libraries

Library Install Purpose
azure-identity pip install azure-identity Azure AD authentication
requests pip install requests Microsoft Graph API client

Microsoft Graph API Endpoints

Method Endpoint Description
GET /v1.0/servicePrincipals List service principals
GET /v1.0/servicePrincipals/{id} Get SP details and credentials
GET /v1.0/servicePrincipals/{id}/appRoleAssignments SP role assignments
GET /v1.0/directoryRoles List directory roles
GET /v1.0/directoryRoles/{id}/members Role members (includes SPs)
GET /v1.0/auditLogs/signIns Sign-in logs for SP activity
GET /v1.0/auditLogs/directoryAudits Directory change audit logs

OAuth2 Token Endpoint

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=client_credentials
scope=https://graph.microsoft.com/.default

High-Privilege Directory Roles

Role Risk
Global Administrator Full tenant control
Application Administrator Can create/manage all apps
Cloud Application Administrator Manage cloud app registrations
Privileged Role Administrator Manage role assignments

Service Principal Abuse Indicators

Indicator Description Severity
Multiple password credentials Possible backdoor persistence HIGH
Expired credentials not removed Credential hygiene gap MEDIUM
SP with Global Admin role Overprivileged automation CRITICAL
Unusual sign-in location Compromised SP credentials HIGH
New credential added to SP Persistence via credential injection CRITICAL

MITRE ATT&CK Mapping

Technique ID Description
Account Manipulation T1098 Add credentials to SP
Valid Accounts: Cloud T1078.004 Abuse SP credentials
Trusted Relationship T1199 Abuse multi-tenant SP trust

External References

standards.md0.9 KB

Standards - Detecting Azure Service Principal Abuse

MITRE ATT&CK Techniques

  • T1098.001: Account Manipulation - Additional Cloud Credentials
  • T1078.004: Valid Accounts - Cloud Accounts
  • T1087.004: Account Discovery - Cloud Account
  • T1528: Steal Application Access Token
  • T1550.001: Use Alternate Authentication Material - Application Access Token

CIS Microsoft Azure Foundations Benchmark v2.1

  • 1.11: Ensure that multi-factor authentication is enabled for all privileged users
  • 1.14: Ensure that guest users are reviewed on a regular basis
  • 1.15: Ensure that User consent for applications is set to Do not allow user consent

Microsoft Secure Score Recommendations

  • Require admin approval for unmanaged applications
  • Remove unused application permissions
  • Limit service principal credential lifetime
  • Implement Conditional Access for workload identities
workflows.md0.9 KB

Workflows - Detecting Azure Service Principal Abuse

Detection Workflow

1. Log Collection → Ingest Azure AD Audit + Sign-in logs to SIEM
2. Rule Activation → Enable detection analytics for SP abuse patterns
3. Alert Triage → Validate alerts against known automation accounts
4. Investigation → Correlate credential changes with sign-in anomalies
5. Containment → Disable compromised SP, rotate credentials
6. Remediation → Remove unauthorized permissions, review ownership

Investigation Workflow

1. Identify affected service principal (name, object ID, app ID)
2. Review recent credential changes (new secrets/certificates)
3. Check role assignments for privilege escalation
4. Analyze sign-in logs for unusual IPs/locations
5. Review application ownership chain
6. Assess blast radius of compromised permissions
7. Document findings and initiate incident response

Scripts 2

agent.py6.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Azure Service Principal abuse detection agent."""

import json
import sys
import argparse
from datetime import datetime, timedelta

try:
    from azure.identity import ClientSecretCredential
except ImportError:
    ClientSecretCredential = None

try:
    import requests
except ImportError:
    print("Install: pip install requests")
    sys.exit(1)


class AzureGraphClient:
    """Client for Microsoft Graph API to audit service principals."""

    def __init__(self, tenant_id, client_id, client_secret):
        self.tenant_id = tenant_id
        self.token = self._get_token(tenant_id, client_id, client_secret)
        self.headers = {"Authorization": f"Bearer {self.token}"}

    def _get_token(self, tenant_id, client_id, client_secret):
        resp = requests.post(
            f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
            data={
                "grant_type": "client_credentials",
                "client_id": client_id,
                "client_secret": client_secret,
                "scope": "https://graph.microsoft.com/.default",
            },
            timeout=15,
        )
        resp.raise_for_status()
        return resp.json()["access_token"]

    def _get(self, endpoint, params=None):
        resp = requests.get(f"https://graph.microsoft.com/v1.0{endpoint}",
                            headers=self.headers, params=params, timeout=15)
        resp.raise_for_status()
        return resp.json()

    def list_service_principals(self):
        return self._get("/servicePrincipals", params={"$top": 200}).get("value", [])

    def get_sp_credentials(self, sp_id):
        return self._get(f"/servicePrincipals/{sp_id}").get("passwordCredentials", [])

    def get_sp_app_roles(self, sp_id):
        return self._get(f"/servicePrincipals/{sp_id}/appRoleAssignments").get("value", [])

    def get_sign_in_logs(self, sp_id, days=7):
        since = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT%H:%M:%SZ")
        return self._get("/auditLogs/signIns", params={
            "$filter": f"appId eq '{sp_id}' and createdDateTime ge {since}",
            "$top": 100,
        }).get("value", [])

    def get_directory_roles(self):
        return self._get("/directoryRoles").get("value", [])

    def get_role_members(self, role_id):
        return self._get(f"/directoryRoles/{role_id}/members").get("value", [])


def audit_credential_expiry(client, principals):
    """Check for expired or soon-to-expire service principal credentials."""
    findings = []
    now = datetime.utcnow()
    for sp in principals:
        sp_id = sp.get("id", "")
        display = sp.get("displayName", "")
        creds = sp.get("passwordCredentials", [])
        key_creds = sp.get("keyCredentials", [])

        for cred in creds + key_creds:
            end_str = cred.get("endDateTime", "")
            if not end_str:
                continue
            try:
                end = datetime.fromisoformat(end_str.rstrip("Z"))
            except ValueError:
                continue

            if end < now:
                findings.append({
                    "sp_name": display, "sp_id": sp_id,
                    "credential_id": cred.get("keyId", ""),
                    "issue": "Credential expired but not removed",
                    "severity": "MEDIUM", "expired": end_str,
                })
            elif end < now + timedelta(days=30):
                findings.append({
                    "sp_name": display, "sp_id": sp_id,
                    "issue": f"Credential expires within 30 days ({end_str})",
                    "severity": "LOW",
                })

        if len(creds) > 2:
            findings.append({
                "sp_name": display, "sp_id": sp_id,
                "issue": f"Multiple password credentials ({len(creds)}) — possible backdoor",
                "severity": "HIGH",
            })

    return findings


def audit_privileged_sp_roles(client):
    """Find service principals with high-privilege directory roles."""
    findings = []
    high_priv_roles = {
        "Global Administrator", "Application Administrator",
        "Cloud Application Administrator", "Privileged Role Administrator",
    }
    roles = client.get_directory_roles()
    for role in roles:
        role_name = role.get("displayName", "")
        if role_name not in high_priv_roles:
            continue
        members = client.get_role_members(role["id"])
        for m in members:
            if m.get("@odata.type") == "#microsoft.graph.servicePrincipal":
                findings.append({
                    "sp_name": m.get("displayName", ""),
                    "sp_id": m.get("id", ""),
                    "role": role_name,
                    "issue": f"Service principal has {role_name} role",
                    "severity": "CRITICAL",
                })
    return findings


def run_audit(args):
    """Execute Azure service principal abuse detection audit."""
    print(f"\n{'='*60}")
    print(f"  AZURE SERVICE PRINCIPAL ABUSE DETECTION")
    print(f"  Generated: {datetime.utcnow().isoformat()} UTC")
    print(f"{'='*60}\n")

    client = AzureGraphClient(args.tenant_id, args.client_id, args.client_secret)
    report = {}

    principals = client.list_service_principals()
    report["total_service_principals"] = len(principals)
    print(f"--- SERVICE PRINCIPALS ({len(principals)}) ---")
    for sp in principals[:10]:
        print(f"  {sp.get('displayName','')}: {sp.get('appId','')[:20]}...")

    cred_findings = audit_credential_expiry(client, principals)
    report["credential_findings"] = cred_findings
    print(f"\n--- CREDENTIAL AUDIT ({len(cred_findings)} findings) ---")
    for f in cred_findings[:15]:
        print(f"  [{f['severity']}] {f['sp_name']}: {f['issue']}")

    role_findings = audit_privileged_sp_roles(client)
    report["privileged_role_findings"] = role_findings
    print(f"\n--- PRIVILEGED ROLE ASSIGNMENTS ({len(role_findings)}) ---")
    for f in role_findings:
        print(f"  [{f['severity']}] {f['sp_name']}: {f['role']}")

    return report


def main():
    parser = argparse.ArgumentParser(description="Azure SP Abuse Detection Agent")
    parser.add_argument("--tenant-id", required=True, help="Azure AD tenant ID")
    parser.add_argument("--client-id", required=True, help="App registration client ID")
    parser.add_argument("--client-secret", required=True, help="App registration secret")
    parser.add_argument("--output", help="Save report to JSON file")
    args = parser.parse_args()

    report = run_audit(args)
    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2, default=str)
        print(f"\n[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
process.py8.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Azure Service Principal Abuse Detection Script

Queries Microsoft Graph API to detect suspicious service principal
activities including new credentials, privilege escalation, and
unauthorized ownership.
"""

import json
import subprocess
import sys
from datetime import datetime, timedelta


def run_az_cli(args):
    """Execute Azure CLI command and return parsed JSON output."""
    cmd = ["az"] + args + ["--output", "json"]
    result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        return None, result.stderr
    try:
        return json.loads(result.stdout) if result.stdout.strip() else {}, None
    except json.JSONDecodeError:
        return result.stdout, None


def check_recent_credential_additions(days=7):
    """Check for service principals with recently added credentials."""
    print(f"[*] Checking for SP credentials added in last {days} days...")
    cutoff = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT%H:%M:%SZ")

    sps, err = run_az_cli(["ad", "sp", "list", "--all"])
    if err:
        print(f"[!] Error listing service principals: {err}")
        return []

    suspicious = []
    for sp in sps or []:
        display_name = sp.get("displayName", "Unknown")
        app_id = sp.get("appId", "")
        object_id = sp.get("id", "")

        # Check password credentials
        for cred in sp.get("passwordCredentials", []):
            start_date = cred.get("startDateTime", "")
            if start_date and start_date > cutoff:
                suspicious.append({
                    "type": "password_credential",
                    "sp_name": display_name,
                    "app_id": app_id,
                    "object_id": object_id,
                    "credential_start": start_date,
                    "credential_end": cred.get("endDateTime", ""),
                    "key_id": cred.get("keyId", "")
                })

        # Check certificate credentials
        for cert in sp.get("keyCredentials", []):
            start_date = cert.get("startDateTime", "")
            if start_date and start_date > cutoff:
                suspicious.append({
                    "type": "certificate_credential",
                    "sp_name": display_name,
                    "app_id": app_id,
                    "object_id": object_id,
                    "credential_start": start_date,
                    "credential_end": cert.get("endDateTime", ""),
                    "key_id": cert.get("keyId", "")
                })

    if suspicious:
        print(f"[!] Found {len(suspicious)} recently added credentials:")
        for item in suspicious:
            print(f"  - [{item['type']}] {item['sp_name']} (AppId: {item['app_id']})")
            print(f"    Added: {item['credential_start']}")
    else:
        print("[+] No recently added credentials found")

    return suspicious


def check_privileged_sp_roles():
    """Check for service principals with privileged directory roles."""
    print("\n[*] Checking service principals with privileged roles...")

    privileged_roles = [
        "Global Administrator",
        "Application Administrator",
        "Cloud Application Administrator",
        "Privileged Role Administrator",
        "Exchange Administrator",
        "SharePoint Administrator",
        "User Administrator"
    ]

    findings = []
    roles, err = run_az_cli(["rest", "--method", "GET",
                              "--url", "https://graph.microsoft.com/v1.0/directoryRoles"])
    if err:
        print(f"[!] Error fetching roles: {err}")
        return []

    for role in (roles or {}).get("value", []):
        role_name = role.get("displayName", "")
        role_id = role.get("id", "")

        if role_name not in privileged_roles:
            continue

        members, err = run_az_cli(["rest", "--method", "GET",
                                    "--url", f"https://graph.microsoft.com/v1.0/directoryRoles/{role_id}/members"])
        if err:
            continue

        for member in (members or {}).get("value", []):
            odata_type = member.get("@odata.type", "")
            if "servicePrincipal" in odata_type:
                findings.append({
                    "role": role_name,
                    "sp_name": member.get("displayName", "Unknown"),
                    "sp_id": member.get("id", ""),
                    "app_id": member.get("appId", "")
                })

    if findings:
        print(f"[!] Found {len(findings)} service principals with privileged roles:")
        for f in findings:
            print(f"  - {f['sp_name']} has role: {f['role']}")
    else:
        print("[+] No service principals with privileged roles found")

    return findings


def check_sp_ownership():
    """Identify applications with non-admin owners (potential abuse vector)."""
    print("\n[*] Checking application ownership for potential abuse vectors...")

    apps, err = run_az_cli(["ad", "app", "list", "--all"])
    if err:
        print(f"[!] Error listing applications: {err}")
        return []

    risky_ownership = []
    for app in apps or []:
        app_name = app.get("displayName", "Unknown")
        app_id = app.get("appId", "")
        object_id = app.get("id", "")

        owners, err = run_az_cli(["rest", "--method", "GET",
                                   "--url", f"https://graph.microsoft.com/v1.0/applications/{object_id}/owners"])
        if err:
            continue

        owner_list = (owners or {}).get("value", [])
        if len(owner_list) > 3:  # Flag apps with many owners
            risky_ownership.append({
                "app_name": app_name,
                "app_id": app_id,
                "owner_count": len(owner_list),
                "owners": [o.get("userPrincipalName", o.get("displayName", "Unknown")) for o in owner_list]
            })

    if risky_ownership:
        print(f"[!] Found {len(risky_ownership)} applications with excessive owners:")
        for item in risky_ownership:
            print(f"  - {item['app_name']}: {item['owner_count']} owners")
    else:
        print("[+] No applications with excessive ownership found")

    return risky_ownership


def generate_detection_report(cred_findings, role_findings, ownership_findings):
    """Generate a consolidated detection report."""
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")

    report = f"""
{'='*60}
Azure Service Principal Abuse Detection Report
Generated: {timestamp}
{'='*60}

## Summary
- Recent Credential Additions: {len(cred_findings)}
- Privileged Role Assignments: {len(role_findings)}
- Risky Application Ownership: {len(ownership_findings)}
- Overall Risk: {'HIGH' if cred_findings or role_findings else 'LOW'}
"""

    if cred_findings:
        report += "\n## Recently Added Credentials\n"
        for f in cred_findings:
            report += f"  [{f['type']}] {f['sp_name']} - Added {f['credential_start']}\n"

    if role_findings:
        report += "\n## Privileged Service Principals\n"
        for f in role_findings:
            report += f"  {f['sp_name']} -> {f['role']}\n"

    if ownership_findings:
        report += "\n## Risky Application Ownership\n"
        for f in ownership_findings:
            report += f"  {f['app_name']} - {f['owner_count']} owners\n"

    print(report)
    return report


if __name__ == "__main__":
    import argparse

    parser = argparse.ArgumentParser(description="Azure Service Principal Abuse Detection")
    parser.add_argument("--days", type=int, default=7, help="Lookback period in days")
    parser.add_argument("--credentials", action="store_true", help="Check recent credential additions")
    parser.add_argument("--roles", action="store_true", help="Check privileged role assignments")
    parser.add_argument("--ownership", action="store_true", help="Check application ownership")
    parser.add_argument("--full", action="store_true", help="Run all checks")
    parser.add_argument("--output", type=str, help="Save report to file")

    args = parser.parse_args()

    cred_findings = []
    role_findings = []
    ownership_findings = []

    if args.full or args.credentials:
        cred_findings = check_recent_credential_additions(args.days)
    if args.full or args.roles:
        role_findings = check_privileged_sp_roles()
    if args.full or args.ownership:
        ownership_findings = check_sp_ownership()

    if args.full or (args.credentials and args.roles):
        report = generate_detection_report(cred_findings, role_findings, ownership_findings)
        if args.output:
            with open(args.output, "w") as f:
                f.write(report)
            print(f"\n[+] Report saved to {args.output}")

Assets 1

template.mdtext/markdown · 0.9 KB
Keep exploring