Microsoft 365 - Modification of Trusted Domain
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detects when a user creates or modifies a trusted domain object in Microsoft 365.
Strategy
Monitor Azure AD Audit logs for the following @evt.name
:
Set federation settings on domain
Set domain authentication
Monitor Microsoft 365 Audit logs for the following @evt.name
:
Set federation settings on domain.
Set domain authentication.
An attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.
Triage and response
- Determine if
{{@usr.id}}
should have made a {{@evt.name}}
API call. - If the API call was not made by the user:
- Remove the suspicious domain or settings.
- Begin your organization’s Incident Response (IR) process.
- If the API call was made by the user:
- Ensure the change was authorized.