Cross-tenant Access Settings Organization Inbound Direct Settings Changed
| Id | 276d5190-38de-4eb2-9933-b3b72f4a5737 |
| Rulename | Cross-tenant Access Settings Organization Inbound Direct Settings Changed |
| Description | Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for “Users & Groups” and for “Applications”. |
| Severity | Medium |
| Tactics | InitialAccess Persistence Discovery |
| Techniques | T1078.004 T1136.003 T1087.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml |
| Version | 1.1.1 |
| Arm template | 276d5190-38de-4eb2-9933-b3b72f4a5737.json |
// In User & Groups and in Applications, the following "AccessType" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly
// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.
// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.
AuditLogs
| where OperationName has "Update a partner cross-tenant access setting"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "Policy"
| extend Properties = TargetResource.modifiedProperties
)
| mv-apply Property = Properties on
(
where Property.displayName =~ "b2bDirectConnectInbound"
| extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)),
ModifiedInboundSettings = trim(@'"',tostring(Property.newValue))
)
| where PremodifiedInboundSettings != ModifiedInboundSettings
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
description: |
'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for "Users & Groups" and for "Applications".'
query: |
// In User & Groups and in Applications, the following "AccessType" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly
// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.
// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.
AuditLogs
| where OperationName has "Update a partner cross-tenant access setting"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "Policy"
| extend Properties = TargetResource.modifiedProperties
)
| mv-apply Property = Properties on
(
where Property.displayName =~ "b2bDirectConnectInbound"
| extend PremodifiedInboundSettings = trim('"',tostring(Property.oldValue)),
ModifiedInboundSettings = trim(@'"',tostring(Property.newValue))
)
| where PremodifiedInboundSettings != ModifiedInboundSettings
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- columnName: InitiatingAppName
identifier: Name
- columnName: InitiatingAppServicePrincipalId
identifier: AadUserId
- entityType: Account
fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
- entityType: IP
fieldMappings:
- columnName: InitiatingIpAddress
identifier: Address
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
status: Available
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- Discovery
queryPeriod: 2d
triggerOperator: gt
id: 276d5190-38de-4eb2-9933-b3b72f4a5737
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
severity: Medium
name: Cross-tenant Access Settings Organization Inbound Direct Settings Changed
kind: Scheduled
queryFrequency: 2d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml
version: 1.1.1