rules/cloud/azure/azure_federation_modified.yml

title: Azure Domain Federation Settings Modified
id: 352a54e1-74ba-4929-9d47-8193d67aba1e
description: Identifies when an user or application modified the federation settings on the domain.
author: Austin Songer
status: experimental
date: 2021/09/06
references:
    - https://attack.mitre.org/techniques/T1078
logsource:
  product: azure
  service: signinlogs
detection:
    selection:
        properties.message: Set federation settings on domain
    condition: selection
level: medium
tags:
    - attack.initial_access
    - attack.t1078
falsepositives:
 - Federation Settings being modified or deleted may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Create azure_federation_modified.yml 2021-09-06 11:06:58 -05:00			`title: Azure Domain Federation Settings Modified`
			`id: 352a54e1-74ba-4929-9d47-8193d67aba1e`
			`description: Identifies when an user or application modified the federation settings on the domain.`
			`author: Austin Songer`
			`status: experimental`
			`date: 2021/09/06`
			`references:`
Update azure_federation_modified.yml 2021-09-06 11:31:52 -05:00			`- https://attack.mitre.org/techniques/T1078`
Create azure_federation_modified.yml 2021-09-06 11:06:58 -05:00			`logsource:`
$frack113$ Add azure product 2021-11-14 10:50:16 +01:00			`product: azure`
refactor: first bigger log source refactoring 2022-03-22 17:58:29 +01:00			`service: signinlogs`
Create azure_federation_modified.yml 2021-09-06 11:06:58 -05:00			`detection:`
			`selection:`
			`properties.message: Set federation settings on domain`
			`condition: selection`
			`level: medium`
			`tags:`
			`- attack.initial_access`
			`- attack.t1078`
			`falsepositives:`
			`- Federation Settings being modified or deleted may be performed by a system administrator.`
			`- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.`
			`- Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.`
Update azure_federation_modified.yml 2021-09-06 11:31:52 -05:00