Users Authenticating To Other Azure AD Tenants

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Sigma rule (View on GitHub)

 1title: Users Authenticating To Other Azure AD Tenants
 2id: 5f521e4b-0105-4b72-845b-2198a54487b9
 3status: test
 4description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
 7author: MikeDuddington, '@dudders1'
 8date: 2022/06/30
 9tags:
10    - attack.initial_access
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: signinlogs
15detection:
16    selection:
17        Status: 'Success'
18        HomeTenantId: 'HomeTenantID'
19    filter:
20        ResourceTenantId|contains: 'HomeTenantID'
21    condition: selection and not filter
22falsepositives:
23    - If this was approved by System Administrator.
24level: medium

References

Related rules

to-top