Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NRT Modified domain federation trust settings

NRT Modified domain federation trust settings

Back
Id8540c842-5bbc-4a24-9fb2-a836c0e55a51
RulenameNRT Modified domain federation trust settings
DescriptionThis will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.

For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.

Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.

To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.

For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.

For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.
SeverityHigh
TacticsCredentialAccess
Persistence
PrivilegeEscalation
TechniquesT1555
T1098
Required data connectorsAzureActiveDirectory
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml
Version1.0.3
Arm template8540c842-5bbc-4a24-9fb2-a836c0e55a51.json
Deploy To Azure
AuditLogs
| where OperationName =~ "Set federation settings on domain" or OperationName =~ "Set domain authentication"
//| where Result =~ "success"   // commenting out, as it may be interesting to capture failed attempts
| mv-expand TargetResources
| extend modifiedProperties = parse_json(TargetResources).modifiedProperties
| mv-apply Property = modifiedProperties on 
  (
      where Property.displayName =~ "LiveType"
      | extend targetDisplayName = tostring(Property.displayName),
               NewDomainValue = tostring(Property.newValue)
  )
| extend Federated = iif(OperationName =~ "Set domain authentication", iif(NewDomainValue has "Federated", True, False), True)
| where Federated == True
| mv-expand AdditionalDetails
| mv-apply AdditionalDetail = AdditionalDetails on 
  (
      where AdditionalDetail.key =~ "User-Agent"
      | extend UserAgent = tostring(AdditionalDetail.value)
  )
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId
| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])

description: |
  'This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.
  For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.
  Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.
  To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.
  For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.
  For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.'  
kind: NRT
tactics:
- CredentialAccess
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml
severity: High
name: NRT Modified domain federation trust settings
query: |
  AuditLogs
  | where OperationName =~ "Set federation settings on domain" or OperationName =~ "Set domain authentication"
  //| where Result =~ "success"   // commenting out, as it may be interesting to capture failed attempts
  | mv-expand TargetResources
  | extend modifiedProperties = parse_json(TargetResources).modifiedProperties
  | mv-apply Property = modifiedProperties on 
    (
        where Property.displayName =~ "LiveType"
        | extend targetDisplayName = tostring(Property.displayName),
                 NewDomainValue = tostring(Property.newValue)
    )
  | extend Federated = iif(OperationName =~ "Set domain authentication", iif(NewDomainValue has "Federated", True, False), True)
  | where Federated == True
  | mv-expand AdditionalDetails
  | mv-apply AdditionalDetail = AdditionalDetails on 
    (
        where AdditionalDetail.key =~ "User-Agent"
        | extend UserAgent = tostring(AdditionalDetail.value)
    )
  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
  | project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId
  | extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])  
relevantTechniques:
- T1555
- T1098
id: 8540c842-5bbc-4a24-9fb2-a836c0e55a51
status: Available
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: InitiatingUserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAadUserId
    identifier: AadUserId
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAppServicePrincipalId
    identifier: AadUserId
- entityType: IP
  fieldMappings:
  - columnName: InitiatingIpAddress
    identifier: Address