Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cross-tenant Access Settings Organization Added

Cross-tenant Access Settings Organization Added

Back
Id757e6a79-6d23-4ae6-9845-4dac170656b5
RulenameCross-tenant Access Settings Organization Added
DescriptionOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.
SeverityMedium
TacticsInitialAccess
Persistence
Discovery
TechniquesT1078.004
T1136.003
T1087.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency2d
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml
Version1.0.0
Arm template757e6a79-6d23-4ae6-9845-4dac170656b5.json
Deploy To Azure
// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants
let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]);
AuditLogs
| where OperationName has "Add a partner to cross-tenant access setting"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue
| mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
| where ExtTenantIDAdded !in (ExpectedTenantIDs)

severity: Medium
triggerThreshold: 0
query: |
  // Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants
  let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]);
  AuditLogs
  | where OperationName has "Add a partner to cross-tenant access setting"
  | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
  | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
  | extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue
  | mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)
  | where ExtTenantIDAdded !in (ExpectedTenantIDs)  
queryFrequency: 2d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
id: 757e6a79-6d23-4ae6-9845-4dac170656b5
version: 1.0.0
name: Cross-tenant Access Settings Organization Added
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml
queryPeriod: 2d
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
    'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ExtTenantIDAdded
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: InitiatedByActionUserInformation
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: InitiatedByIPAdress

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/757e6a79-6d23-4ae6-9845-4dac170656b5')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/757e6a79-6d23-4ae6-9845-4dac170656b5')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cross-tenant Access Settings Organization Added",
        "description": "'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| extend ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue\n| mv-expand ExtTenantIDAdded = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n",
        "queryFrequency": "P2D",
        "queryPeriod": "P2D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "Discovery"
        ],
        "techniques": [
          "T1078.004",
          "T1136.003",
          "T1087.004"
        ],
        "alertRuleTemplateName": "757e6a79-6d23-4ae6-9845-4dac170656b5",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "ExtTenantIDAdded",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "InitiatedByActionUserInformation",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "InitiatedByIPAdress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationAdded.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}