Cross-tenant Access Settings Organization Deleted
Id | eb8a9c1c-f532-4630-817c-1ecd8a60ed80 |
Rulename | Cross-tenant Access Settings Organization Deleted |
Description | Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings. |
Severity | Medium |
Tactics | InitialAccess Persistence Discovery |
Techniques | T1078.004 T1136.003 T1087.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 2d |
Query period | 2d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationDeleted.yaml |
Version | 1.0.0 |
Arm template | eb8a9c1c-f532-4630-817c-1ecd8a60ed80.json |
AuditLogs
| where OperationName has "Delete partner specific cross-tenant access setting"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| extend ExtTenantDeleted = TargetResources[0].modifiedProperties[0].oldValue
severity: Medium
triggerThreshold: 0
query: |
AuditLogs
| where OperationName has "Delete partner specific cross-tenant access setting"
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress
| extend ExtTenantDeleted = TargetResources[0].modifiedProperties[0].oldValue
queryFrequency: 2d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
id: eb8a9c1c-f532-4630-817c-1ecd8a60ed80
version: 1.0.0
name: Cross-tenant Access Settings Organization Deleted
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationDeleted.yaml
queryPeriod: 2d
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ExtTenantDeleted
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatedByActionUserInformation
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatedByIPAdress
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Cross-tenant Access Settings Organization Deleted",
"description": "'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.'\n",
"severity": "Medium",
"enabled": true,
"query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| extend ExtTenantDeleted = TargetResources[0].modifiedProperties[0].oldValue\n",
"queryFrequency": "P2D",
"queryPeriod": "P2D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Persistence",
"Discovery"
],
"techniques": [
"T1078.004",
"T1136.003",
"T1087.004"
],
"alertRuleTemplateName": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "ExtTenantDeleted",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "InitiatedByActionUserInformation",
"identifier": "Name"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "InitiatedByIPAdress",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Cross-tenantAccessSettingsOrganizationDeleted.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}