Rules Contributing to Microsoft Entra Federation Modified Alert

The following rules are used to identify suspicious Microsoft Entra federation modified activity. Any one or more of these will trigger the Microsoft Entra Federation Modified Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Domain Federation Settings Modified

Identifies when an user or application modified the federation settings on the domain.

More details

Rule ID

azure_45

Query

{'selection': {'ActivityDisplayName': 'Set federation settings on domain'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,352a54e1-74ba-4929-9d47-8193d67aba1e

Author: Austin Songer

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1484

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/09/06	medium	Federation Settings being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.