Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Possible SignIn from Azure Backdoor

Back
Idfa00014c-c5f4-4715-8f5b-ba567e19e41e
RulenamePossible SignIn from Azure Backdoor
DescriptionIdentifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It’s important to monitor whenever custom domains are added to the tenant.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
Version1.0.0
Arm templatefa00014c-c5f4-4715-8f5b-ba567e19e41e.json
Deploy To Azure
// Microsoft Entra ID  Backdoors: Identity Federation
//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
AuditLogs
| where OperationName == "Add unverified domain"
| where Result == "success"
| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DomainName = tostring(TargetResources[0].displayName)
| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
| join kind=inner (
SigninLogs
| where ResultType == "0"
| extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
) on $left.DomainName == $right.UserDomain
// Getting UserName and Domain
| extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
| mv-expand Name,Domain
version: 1.0.0
relevantTechniques:
- T1098
triggerThreshold: 0
name: Possible SignIn from Azure Backdoor
id: fa00014c-c5f4-4715-8f5b-ba567e19e41e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
kind: Scheduled
severity: Medium
description: |
    'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  - AuditLogs
  connectorId: AzureActiveDirectory
queryPeriod: 1h
customDetails:
  InitiatedBy: InitiatedBy
  DomainAdded: DomainName
  SignInTime: SignInTime
  AppDisplayName: AppDisplayName
  ResourceDisplayName: ResourceDisplayName
  ModifiedProperties: ModifiedProperties
  DomainAddedTime: DomainAddedTime
query: |
  // Microsoft Entra ID  Backdoors: Identity Federation
  //Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
  AuditLogs
  | where OperationName == "Add unverified domain"
  | where Result == "success"
  | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend DomainName = tostring(TargetResources[0].displayName)
  | summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
  | join kind=inner (
  SigninLogs
  | where ResultType == "0"
  | extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
  | summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
  ) on $left.DomainName == $right.UserDomain
  // Getting UserName and Domain
  | extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
  | mv-expand Name,Domain  
entityMappings:
- fieldMappings:
  - identifier: NTDomain
    columnName: UserDomain
  - identifier: FullName
    columnName: UserPrincipalName
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
triggerOperator: gt
tactics:
- Persistence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "properties": {
        "alertRuleTemplateName": "fa00014c-c5f4-4715-8f5b-ba567e19e41e",
        "customDetails": {
          "AppDisplayName": "AppDisplayName",
          "DomainAdded": "DomainName",
          "DomainAddedTime": "DomainAddedTime",
          "InitiatedBy": "InitiatedBy",
          "ModifiedProperties": "ModifiedProperties",
          "ResourceDisplayName": "ResourceDisplayName",
          "SignInTime": "SignInTime"
        },
        "description": "'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'\n",
        "displayName": "Possible SignIn from Azure Backdoor",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserDomain",
                "identifier": "NTDomain"
              },
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml",
        "query": "// Microsoft Entra ID  Backdoors: Identity Federation\n//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html\nAuditLogs\n| where OperationName == \"Add unverified domain\"\n| where Result == \"success\"\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend DomainName = tostring(TargetResources[0].displayName)\n| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName\n| join kind=inner (\nSigninLogs\n| where ResultType == \"0\"\n| extend UserDomain = tostring(parse_json(split(UserPrincipalName,\"@\",1)[0]))\n| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain\n) on $left.DomainName == $right.UserDomain\n// Getting UserName and Domain\n| extend Name = split(UserPrincipalName,\"@\",0), Domain = split(UserPrincipalName,\"@\",1)\n| mv-expand Name,Domain\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}