Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Possible SignIn from Azure Backdoor

Back
Idfa00014c-c5f4-4715-8f5b-ba567e19e41e
RulenamePossible SignIn from Azure Backdoor
DescriptionIdentifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It’s important to monitor whenever custom domains are added to the tenant.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
Version1.0.0
Arm templatefa00014c-c5f4-4715-8f5b-ba567e19e41e.json
Deploy To Azure
// Microsoft Entra ID  Backdoors: Identity Federation
//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
AuditLogs
| where OperationName == "Add unverified domain"
| where Result == "success"
| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DomainName = tostring(TargetResources[0].displayName)
| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
| join kind=inner (
SigninLogs
| where ResultType == "0"
| extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
) on $left.DomainName == $right.UserDomain
// Getting UserName and Domain
| extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
| mv-expand Name,Domain
kind: Scheduled
description: |
    'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  - AuditLogs
  connectorId: AzureActiveDirectory
queryFrequency: 1h
customDetails:
  InitiatedBy: InitiatedBy
  SignInTime: SignInTime
  ResourceDisplayName: ResourceDisplayName
  ModifiedProperties: ModifiedProperties
  DomainAddedTime: DomainAddedTime
  AppDisplayName: AppDisplayName
  DomainAdded: DomainName
id: fa00014c-c5f4-4715-8f5b-ba567e19e41e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
relevantTechniques:
- T1098
query: |
  // Microsoft Entra ID  Backdoors: Identity Federation
  //Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
  AuditLogs
  | where OperationName == "Add unverified domain"
  | where Result == "success"
  | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend DomainName = tostring(TargetResources[0].displayName)
  | summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
  | join kind=inner (
  SigninLogs
  | where ResultType == "0"
  | extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
  | summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
  ) on $left.DomainName == $right.UserDomain
  // Getting UserName and Domain
  | extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
  | mv-expand Name,Domain  
name: Possible SignIn from Azure Backdoor
entityMappings:
- fieldMappings:
  - columnName: UserDomain
    identifier: NTDomain
  - columnName: UserPrincipalName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
severity: Medium
triggerThreshold: 0
tactics:
- Persistence
version: 1.0.0
queryPeriod: 1h
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "properties": {
        "alertRuleTemplateName": "fa00014c-c5f4-4715-8f5b-ba567e19e41e",
        "customDetails": {
          "AppDisplayName": "AppDisplayName",
          "DomainAdded": "DomainName",
          "DomainAddedTime": "DomainAddedTime",
          "InitiatedBy": "InitiatedBy",
          "ModifiedProperties": "ModifiedProperties",
          "ResourceDisplayName": "ResourceDisplayName",
          "SignInTime": "SignInTime"
        },
        "description": "'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'\n",
        "displayName": "Possible SignIn from Azure Backdoor",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserDomain",
                "identifier": "NTDomain"
              },
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml",
        "query": "// Microsoft Entra ID  Backdoors: Identity Federation\n//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html\nAuditLogs\n| where OperationName == \"Add unverified domain\"\n| where Result == \"success\"\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend DomainName = tostring(TargetResources[0].displayName)\n| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName\n| join kind=inner (\nSigninLogs\n| where ResultType == \"0\"\n| extend UserDomain = tostring(parse_json(split(UserPrincipalName,\"@\",1)[0]))\n| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain\n) on $left.DomainName == $right.UserDomain\n// Getting UserName and Domain\n| extend Name = split(UserPrincipalName,\"@\",0), Domain = split(UserPrincipalName,\"@\",1)\n| mv-expand Name,Domain\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}