federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/audit_logs/azure_federation_modified.yml>sigma
technicques: t1078

Techniques

Identifies when an user or application modified the federation settings on the domain.

condition: selection
selection:
  ActivityDisplayName: Set federation settings on domain