New or Modified Federation Domain
Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external
13identity provider.
14"""
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "New or Modified Federation Domain"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22references = [
23 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
24 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
25 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps",
26 "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps",
27 "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps",
28 "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0",
29]
30risk_score = 21
31rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or
39"Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and
40event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1484"
48name = "Domain Policy Modification"
49reference = "https://attack.mitre.org/techniques/T1484/"
50[[rule.threat.technique.subtechnique]]
51id = "T1484.002"
52name = "Domain Trust Modification"
53reference = "https://attack.mitre.org/techniques/T1484/002/"
54
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
An Exchange organization's federated organization identifier is generally created using the organization's primary domain name. Additional domain names can be added and removed. The Remove-FederatedDomain cmdlet removes a federated domain from the federated organization identifier. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You can add any registered Internet domain to the federated organization identifier. You must prove domain ownership by creating a TXT record in the Domain Name System (DNS) zone of each domain you add. For more details, see Federation. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
The Set-MsolDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain. Single sign-on is also known as identity federation.
Read More
Related rules
- Attempts to Brute Force a Microsoft 365 User Account
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Global Administrator Role Assigned
- O365 Excessive Single Sign-On Logon Errors