Cross-tenant Access Settings Organization Inbound Direct Settings Changed
| Id | 276d5190-38de-4eb2-9933-b3b72f4a5737 |
| Rulename | Cross-tenant Access Settings Organization Inbound Direct Settings Changed |
| Description | Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for “Users & Groups” and for “Applications”. |
| Severity | Medium |
| Tactics | InitialAccess Persistence Discovery |
| Techniques | T1078.004 T1136.003 T1087.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml |
| Version | 1.0.0 |
| Arm template | 276d5190-38de-4eb2-9933-b3b72f4a5737.json |
//In User & Groups and in Applications, the following "AccessType" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:
// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.
// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.
AuditLogs
| where OperationName has "Update a partner cross-tenant access setting"
| where B2BType = TargetResources[0].modifiedProperties[0].displayName has "b2bDirectInbound"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| mv-expand PremodifiedInboundSettings = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)
| mv-expand ModifiedInboundSettings = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
| where PremodifiedInboundSettings != ModifiedInboundSettings
severity: Medium
triggerThreshold: 0
query: |
//In User & Groups and in Applications, the following "AccessType" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:
// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.
// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.
AuditLogs
| where OperationName has "Update a partner cross-tenant access setting"
| where B2BType = TargetResources[0].modifiedProperties[0].displayName has "b2bDirectInbound"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| mv-expand PremodifiedInboundSettings = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)
| mv-expand ModifiedInboundSettings = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
| where PremodifiedInboundSettings != ModifiedInboundSettings
queryFrequency: 2d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
id: 276d5190-38de-4eb2-9933-b3b72f4a5737
version: 1.0.0
name: Cross-tenant Access Settings Organization Inbound Direct Settings Changed
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml
queryPeriod: 2d
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for "Users & Groups" and for "Applications".'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatedByActionUserInformation
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatedByIPAdress
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/276d5190-38de-4eb2-9933-b3b72f4a5737')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/276d5190-38de-4eb2-9933-b3b72f4a5737')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
"description": "'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".'\n",
"severity": "Medium",
"enabled": true,
"query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| where B2BType = TargetResources[0].modifiedProperties[0].displayName has \"b2bDirectInbound\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-expand PremodifiedInboundSettings = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)\n| mv-expand ModifiedInboundSettings = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n",
"queryFrequency": "P2D",
"queryPeriod": "P2D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Persistence",
"Discovery"
],
"techniques": [
"T1078.004",
"T1136.003",
"T1087.004"
],
"alertRuleTemplateName": "276d5190-38de-4eb2-9933-b3b72f4a5737",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "InitiatedByActionUserInformation",
"identifier": "Name"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "InitiatedByIPAdress",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}