New or Modified Federation Domain
Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/31"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external
11identity provider.
12"""
13index = ["filebeat-*", "logs-o365*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "New or Modified Federation Domain"
17note = """## Setup
18
19The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
20references = [
21 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
22 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
23 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
24 "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
25 "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
26 "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0",
27]
28risk_score = 21
29rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8"
30severity = "low"
31tags = [
32 "Domain: Cloud",
33 "Data Source: Microsoft 365",
34 "Use Case: Identity and Access Audit",
35 "Tactic: Privilege Escalation",
36]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or
42"Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and
43event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1484"
51name = "Domain or Tenant Policy Modification"
52reference = "https://attack.mitre.org/techniques/T1484/"
53[[rule.threat.technique.subtechnique]]
54id = "T1484.002"
55name = "Trust Modification"
56reference = "https://attack.mitre.org/techniques/T1484/002/"
57
58
59
60[rule.threat.tactic]
61id = "TA0004"
62name = "Privilege Escalation"
63reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
An Exchange organization's federated organization identifier is generally created using the organization's primary domain name. Additional domain names can be added and removed. The Remove-FederatedDomain cmdlet removes a federated domain from the federated organization identifier. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You can add any registered Internet domain to the federated organization identifier. You must prove domain ownership by creating a TXT record in the Domain Name System (DNS) zone of each domain you add. For more details, see Federation. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
The Set-MsolDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain. Single sign-on is also known as identity federation.
Read More
Related rules
- AWS IAM Assume Role Policy Update
- AWS Root Login Without MFA
- AWS STS GetSessionToken Abuse
- Azure Kubernetes Rolebindings Created
- Microsoft 365 Exchange Management Group Role Assignment