KQL Search

Query Details

AR 005 Federation Domain Config Changed

Query

id: e5f60718-0005-4263-c345-eeff00112233
name: Entra ID Domain Federation Settings Modified
description: |
  Detects any modification to a domain's authentication configuration, including
  converting a domain from Managed to Federated authentication. This is the
  primary technique in the "Golden SAML" attack and the AADInternals
  `ConvertTo-AADIntBackdoor` command: by pointing a domain at a rogue Identity
  Provider, an attacker can forge authentication tokens for any user without
  knowing their password, fully bypassing MFA.

  Any occurrence of this event should be treated as Critical until verified with
  the identity team. There should be extremely few legitimate changes to domain
  federation settings.

  Reference: AADInternals https://github.com/Gerenios/AADInternals
             MITRE T1484.002 – Domain Trust Modification
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 15m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1484.002
  - T1606.002
query: |
  AuditLogs
  | where TimeGenerated > ago(1d)
  | where ActivityDisplayName in (
      "Set domain authentication",
      "Set federation settings on domain",
      "Set federation settings",
      "Set DirSyncEnabled flag",
      "Update domain")
  | where Result == "success"
  | extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
  | extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
  | extend TargetDomain   = tostring(TargetResources[0].displayName)
  | extend TargetId       = tostring(TargetResources[0].id)
  | mv-expand Prop = TargetResources[0].modifiedProperties
  | extend PropName = tostring(Prop.displayName)
  | extend OldValue = tostring(Prop.oldValue)
  | extend NewValue = tostring(Prop.newValue)
  | project
      TimeGenerated,
      Actor,
      InitiatedByUPN,
      ActivityDisplayName,
      TargetDomain,
      TargetId,
      PropName,
      OldValue,
      NewValue,
      LoggedByService,
      CorrelationId

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatedByUPN
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: TargetDomain

customDetails:
  ModifiedProperty: PropName
  OldAuthType: OldValue
  NewAuthType: NewValue

alertDetailsOverride:
  alertDisplayNameFormat: "CRITICAL – Domain federation config changed on '{{TargetDomain}}' by {{Actor}}"
  alertDescriptionFormat: "Actor {{Actor}} modified the domain authentication settings for '{{TargetDomain}}'. Property '{{PropName}}' changed from '{{OldValue}}' to '{{NewValue}}'. If this was not pre-approved, treat as a Golden SAML attack attempt."

suppressionDuration: PT1H
suppressionEnabled: false
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect any changes made to the authentication settings of a domain in Azure Active Directory (AAD), which could indicate a potential security threat. Here's a simplified breakdown:

  1. Purpose: The query identifies modifications to a domain's authentication configuration, such as switching from Managed to Federated authentication. This is significant because such changes can be part of a "Golden SAML" attack, where an attacker can forge authentication tokens to impersonate any user without needing their password, effectively bypassing multi-factor authentication (MFA).

  2. Severity: Any detected change is considered critical until verified by the identity team, as legitimate changes to domain federation settings are rare.

  3. Data Source: The query uses data from Azure Active Directory's AuditLogs.

  4. Frequency and Period: It runs every 15 minutes and looks back over the past day (1 day).

  5. Detection Logic:

    • It checks for successful activities related to domain authentication settings, such as setting domain authentication, updating federation settings, or enabling directory synchronization.
    • It extracts details about who initiated the change (either a user or an application) and the specific domain affected.
    • It captures what properties were modified, including their old and new values.

  6. Alerting: If any such changes are detected, an alert is generated with a critical status. The alert message specifies the domain affected, the actor who made the change, and details of the modification.

  7. Entity Mapping: The query maps the user who initiated the change to an account entity and the domain to a DNS entity.

  8. Custom Details: It provides additional information about the modified property and the old and new authentication types.

  9. Suppression: Alerts are not suppressed by default, but there is an option to suppress them for 1 hour if needed.

  10. Version and Type: This is version 1.0.0 of a scheduled query.

Overall, this query is a security measure to monitor and alert on potentially unauthorized changes to domain federation settings, which could indicate a serious security breach.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsDomainAuthenticationFederationIdentityUserAccountDNSActorService

Operators

AuditLogswhereinextendtostringiffisnotemptymv-expandproject

Actions