Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Possible SignIn from Azure Backdoor

Back
Idfa00014c-c5f4-4715-8f5b-ba567e19e41e
RulenamePossible SignIn from Azure Backdoor
DescriptionIdentifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It’s important to monitor whenever custom domains are added to the tenant.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
Version1.0.0
Arm templatefa00014c-c5f4-4715-8f5b-ba567e19e41e.json
Deploy To Azure
// Microsoft Entra ID  Backdoors: Identity Federation
//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
AuditLogs
| where OperationName == "Add unverified domain"
| where Result == "success"
| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend DomainName = tostring(TargetResources[0].displayName)
| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
| join kind=inner (
SigninLogs
| where ResultType == "0"
| extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
) on $left.DomainName == $right.UserDomain
// Getting UserName and Domain
| extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
| mv-expand Name,Domain
kind: Scheduled
query: |
  // Microsoft Entra ID  Backdoors: Identity Federation
  //Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
  AuditLogs
  | where OperationName == "Add unverified domain"
  | where Result == "success"
  | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend DomainName = tostring(TargetResources[0].displayName)
  | summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName
  | join kind=inner (
  SigninLogs
  | where ResultType == "0"
  | extend UserDomain = tostring(parse_json(split(UserPrincipalName,"@",1)[0]))
  | summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain
  ) on $left.DomainName == $right.UserDomain
  // Getting UserName and Domain
  | extend Name = split(UserPrincipalName,"@",0), Domain = split(UserPrincipalName,"@",1)
  | mv-expand Name,Domain  
relevantTechniques:
- T1098
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserDomain
    identifier: NTDomain
  - columnName: UserPrincipalName
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1h
customDetails:
  DomainAddedTime: DomainAddedTime
  SignInTime: SignInTime
  ModifiedProperties: ModifiedProperties
  AppDisplayName: AppDisplayName
  ResourceDisplayName: ResourceDisplayName
  DomainAdded: DomainName
  InitiatedBy: InitiatedBy
tactics:
- Persistence
id: fa00014c-c5f4-4715-8f5b-ba567e19e41e
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  - AuditLogs
  connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml
description: |
    'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'
queryFrequency: 1h
name: Possible SignIn from Azure Backdoor
severity: Medium
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa00014c-c5f4-4715-8f5b-ba567e19e41e')]",
      "properties": {
        "alertRuleTemplateName": "fa00014c-c5f4-4715-8f5b-ba567e19e41e",
        "customDetails": {
          "AppDisplayName": "AppDisplayName",
          "DomainAdded": "DomainName",
          "DomainAddedTime": "DomainAddedTime",
          "InitiatedBy": "InitiatedBy",
          "ModifiedProperties": "ModifiedProperties",
          "ResourceDisplayName": "ResourceDisplayName",
          "SignInTime": "SignInTime"
        },
        "description": "'Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.'\n",
        "displayName": "Possible SignIn from Azure Backdoor",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserDomain",
                "identifier": "NTDomain"
              },
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml",
        "query": "// Microsoft Entra ID  Backdoors: Identity Federation\n//Ref: https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html\nAuditLogs\n| where OperationName == \"Add unverified domain\"\n| where Result == \"success\"\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend DomainName = tostring(TargetResources[0].displayName)\n| summarize DomainAddedTime = min(TimeGenerated), ModifiedProperties = make_set(parse_json(TargetResources[0].modifiedProperties),1048576) by InitiatedBy, DomainName\n| join kind=inner (\nSigninLogs\n| where ResultType == \"0\"\n| extend UserDomain = tostring(parse_json(split(UserPrincipalName,\"@\",1)[0]))\n| summarize SignInTime = min(TimeGenerated)  by UserPrincipalName, IPAddress, tostring(LocationDetails),AppDisplayName,ResourceDisplayName,UserDomain\n) on $left.DomainName == $right.UserDomain\n// Getting UserName and Domain\n| extend Name = split(UserPrincipalName,\"@\",0), Domain = split(UserPrincipalName,\"@\",1)\n| mv-expand Name,Domain\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}