MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE operation performed by service principal. Received an alert in Microsoft Sentinel however, we are unable to trace the details of the service principal.

To trace, investigate, and find the Service Principal ID, go to Azure Monitor -> Activity Logs and check for operation Create or Update Network Security Group 

To find the App ID that triggered this, go to Azure Active Directory -> Enterprise Applications (Yes, you pointed it right, automation scripts could cause this)

Check if the IAM role is properly assigned (Role misconfiguration could cause this)

Once UEBA is enabled in Microsoft Sentinel, examine the entity mapping and investigation graph to identify any anomalous behavior. (Compromised credentials could cause this).

Hi, sometimes it could be related to that what is included in your entities in analytic rule which detected such behaviour.

Easiest way is to copy analytic rule and go to hunting, by findings that in Azure Activity table:

AzureActivity

| where OperationNameValue == "Microsoft.Network/networkSecurityGroups/write"
| where ActivityStatusValue == "Success"

Also, do you collect logs from Service principals in Entra ID connector?