Detectionmediumtest

New Federated Domain Added - Exchange

Detects the addition of a new Federated Domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Splunk Threat Research Team (original rule), @ionsorCreated Tue Feb 0842127bdd-9133-474f-a6f1-97b6c08a4339cloud

Log Source

Microsoft 365exchange

ProductMicrosoft 365← raw: m365

Serviceexchange← raw: exchange

Detection Logic

detection:
    selection:
        eventSource: Exchange
        eventName: 'Add-FederatedDomain'
        status: success
    condition: selection

False Positives

The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1136.003 · Cloud Account

Related Rules

SimilarDetectionmedium

New Federated Domain Added

Detects the addition of a new Federated Domain.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

42127bdd-9133-474f-a6f1-97b6c08a4339

Status

test

Level

medium

Type

Detection

Created

Tue Feb 08

Author

Splunk Threat Research Team (original rule), @ionsor

Path

rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml

Raw Tags

attack.persistenceattack.t1136.003

View on GitHub