LoFP / the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Techniques

• T1136
• T1136.003

Sample rules

O365 Add App Role Assignment Grant User

• source: splunk
• technicques:
  • T1136.003
  • T1136

Description

This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." 
| stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_add_app_role_assignment_grant_user_filter`