Cross-tenant Access Settings Organization Added
Id | 757e6a79-6d23-4ae6-9845-4dac170656b5 |
Rulename | Cross-tenant Access Settings Organization Added |
Description | Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings. |
Severity | Medium |
Tactics | InitialAccess Persistence Discovery |
Techniques | T1078.004 T1136.003 T1087.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 2d |
Query period | 2d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml |
Version | 1.0.0 |
Arm template | 757e6a79-6d23-4ae6-9845-4dac170656b5.json |
// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants
let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]);
AuditLogs
| where OperationName has "Add a partner to cross-tenant access setting"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue
| mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
| where ExtTenantIDAdded !in (ExpectedTenantIDs)
severity: Medium
triggerThreshold: 0
query: |
// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants
let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]);
AuditLogs
| where OperationName has "Add a partner to cross-tenant access setting"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue
| mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
| where ExtTenantIDAdded !in (ExpectedTenantIDs)
queryFrequency: 2d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
id: 757e6a79-6d23-4ae6-9845-4dac170656b5
version: 1.0.0
name: Cross-tenant Access Settings Organization Added
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml
queryPeriod: 2d
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ExtTenantIDAdded
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatedByActionUserInformation
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatedByIPAdress
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/757e6a79-6d23-4ae6-9845-4dac170656b5')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/757e6a79-6d23-4ae6-9845-4dac170656b5')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Cross-tenant Access Settings Organization Added",
"description": "'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.'\n",
"severity": "Medium",
"enabled": true,
"query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue\n| mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n",
"queryFrequency": "P2D",
"queryPeriod": "P2D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Persistence",
"Discovery"
],
"techniques": [
"T1078.004",
"T1136.003",
"T1087.004"
],
"alertRuleTemplateName": "757e6a79-6d23-4ae6-9845-4dac170656b5",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "ExtTenantIDAdded",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "InitiatedByActionUserInformation",
"identifier": "Name"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "InitiatedByIPAdress",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}