Detectionmediumtest

Azure Domain Federation Settings Modified

Identifies when an user or application modified the federation settings on the domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Mon Sep 06Updated Wed Jun 08352a54e1-74ba-4929-9d47-8193d67aba1ecloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        ActivityDisplayName: Set federation settings on domain
    condition: selection

False Positives

Federation Settings being modified or deleted may be performed by a system administrator.

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

352a54e1-74ba-4929-9d47-8193d67aba1e

Status

test

Level

medium

Type

Detection

Created

Mon Sep 06

Modified

Wed Jun 08

Author

Austin Songer

Path

rules/cloud/azure/audit_logs/azure_federation_modified.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub