Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

New Federated Domain Added

Detects the addition of a new Federated Domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Splunk Threat Research Team (original rule), Harjot Singh (sigma rule)Created Mon Sep 1858f88172-a73d-442b-94c9-95eaed3cbb36cloud
Log Source
Microsoft 365audit
ProductMicrosoft 365← raw: m365
Serviceaudit← raw: audit
Detection Logic
Detection Logic2 selectors
detection:
    selection_domain:
        Operation|contains: 'domain'
    selection_operation:
        Operation|contains:
            - 'add'
            - 'new'
    condition: all of selection_*
False Positives

The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.

References
1
Resolving title…
research.splunk.com
2
Resolving title…
o365blog.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

New Federated Domain Added - Exchange

Detects the addition of a new Federated Domain.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
58f88172-a73d-442b-94c9-95eaed3cbb36
Status
test
Level
medium
Type
Detection
Created
Mon Sep 18
Author
Splunk Threat Research Team (original rule), Harjot Singh (sigma rule)
Path
rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1484.002
View on GitHub