New onmicrosoft domain added to tenant

AuditLogs
| where AADOperationType == "Add"
| where Result == "success"
| where OperationName in ("Add verified domain", "Add unverified domain")
| extend InitiatedBy = parse_json(InitiatedBy)
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)
| extend DomainAdded = tostring(TargetResources[0].displayName)
| where DomainAdded has "onmicrosoft"
| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, " - ", InitiatingSPID))
| extend UserName = split(InitiatingUser, "@")[0]
| extend UPNSuffix = split(InitiatingUser, "@")[1]
| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp

alertDetailsOverride:
  alertDescriptionFormat: This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.
  alertDisplayNameFormat: '{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}'
description: |
  'This detection looks for new onmicrosoft domains being added to a tenant. 
  An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.
  Domain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.'  
kind: Scheduled
tactics:
- ResourceDevelopment
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml
severity: Medium
name: New onmicrosoft domain added to tenant
triggerThreshold: 0
queryPeriod: 1h
query: |
  AuditLogs
  | where AADOperationType == "Add"
  | where Result == "success"
  | where OperationName in ("Add verified domain", "Add unverified domain")
  | extend InitiatedBy = parse_json(InitiatedBy)
  | extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)
  | extend InitiatingApp = tostring(InitiatedBy.app.displayName)
  | extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)
  | extend DomainAdded = tostring(TargetResources[0].displayName)
  | where DomainAdded has "onmicrosoft"
  | extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, " - ", InitiatingSPID))
  | extend UserName = split(InitiatingUser, "@")[0]
  | extend UPNSuffix = split(InitiatingUser, "@")[1]
  | project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp  
relevantTechniques:
- T1585.003
id: 4f42b94f-b210-42d1-a023-7fa1c51d969f
queryFrequency: 1h
status: Available
version: 1.0.1
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: InitiatingUser
    identifier: FullName
  - columnName: UserName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAadUserId
    identifier: AadUserId
- entityType: Account
  fieldMappings:
  - columnName: InitiatingSPID
    identifier: AadUserId
- entityType: IP
  fieldMappings:
  - columnName: InitiatingIp
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: DomainAdded
    identifier: DomainName