Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Microsoft Entra ID Hybrid Health AD FS Service Delete

Microsoft Entra ID Hybrid Health AD FS Service Delete

Back
Id86a036b2-3686-42eb-b417-909fc0867771
RulenameMicrosoft Entra ID Hybrid Health AD FS Service Delete
DescriptionThis detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.

A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.

The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.

More information is available in this blog https://o365blog.com/post/hybridhealthagent/
SeverityMedium
TacticsDefenseEvasion
TechniquesT1578.003
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml
Version2.0.3
Arm template86a036b2-3686-42eb-b417-909fc0867771.json
Deploy To Azure
AzureActivity
| where CategoryValue =~ 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId has 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
| project-away claimsJson

triggerThreshold: 0
name: Microsoft Entra ID Hybrid Health AD FS Service Delete
queryPeriod: 1d
query: |
  AzureActivity
  | where CategoryValue =~ 'Administrative'
  | where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
  | where _ResourceId has 'AdFederationService'
  | where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
  | extend claimsJson = parse_json(Claims)
  | extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
  | project-away claimsJson  
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
version: 2.0.3
id: 86a036b2-3686-42eb-b417-909fc0867771
tactics:
- DefenseEvasion
relevantTechniques:
- T1578.003
status: Available
tags:
- SimuLand
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml
triggerOperator: gt
queryFrequency: 1d
description: |
  'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.
  A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
  The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.
  More information is available in this blog https://o365blog.com/post/hybridhealthagent/'  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
severity: Medium
kind: Scheduled