Rules Contributing to Microsoft Entra Hybrid Health AD FS New Server Alert

The following rules are used to identify a new hybrid health AD FS server. Any one or more of these will trigger the Microsoft Entra Hybrid Health AD FS New Server Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Active Directory Hybrid Health AD FS New Server

This detection uses Azure Activity Log (Administrative category) to identify the creation or update of a server instance in a Microsoft Entra Hybrid health AD FS service. A threat actor can create a new Health AD FS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

More details

Rule ID

azure_55

Query

{'selection': {'CategoryValue': 'Administrative', 'ResourceId|contains': 'AdFederationService', 'OperationNameValue': 'Microsoft.ADHybridHealthService/services/servicemembers/action'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,288a39fc-4914-4831-9ada-270e9dc12cb4

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Tactics, Techniques, and Procedures

DISCOVERY, T1087

References

https://o365blog.com/post/hybridhealthagent/

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/26	medium	Legitimate AD FS servers added to an AAD Health AD FS service instance