Microsoft 365 - Modification of Trusted Domain

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when a user creates or modifies a trusted domain object in Microsoft 365.

Strategy

Monitor Azure AD Audit logs for the following @evt.name:

  • Set federation settings on domain
  • Set domain authentication

Monitor Microsoft 365 Audit logs for the following @evt.name:

  • Set federation settings on domain.
  • Set domain authentication.

An attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.

Triage and response

  1. Determine if {{@usr.id}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
    • Remove the suspicious domain or settings.
    • Begin your organization’s Incident Response (IR) process.
  3. If the API call was made by the user:
    • Ensure the change was authorized.
PREVIEWING: mcretzman/DOCS-9337-add-cloud-info-byoti