← Back to Explore
sigmamediumHunting
New Federated Domain Added
Detects the addition of a new Federated Domain.
Detection Query
selection_domain:
Operation|contains: domain
selection_operation:
Operation|contains:
- add
- new
condition: all of selection_*
Author
Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
Created
2023-09-18
Data Sources
m365audit
Platforms
m365
References
Tags
attack.defense-evasionattack.privilege-escalationattack.t1484.002
Raw Content
title: New Federated Domain Added
id: 58f88172-a73d-442b-94c9-95eaed3cbb36
related:
- id: 42127bdd-9133-474f-a6f1-97b6c08a4339
type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
- https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
- https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1484.002
logsource:
service: audit
product: m365
detection:
selection_domain:
Operation|contains: 'domain'
selection_operation:
Operation|contains:
- 'add'
- 'new'
condition: all of selection_*
falsepositives:
- The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium