KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Detect AAD Internals Use

Query

//Detect AADInternals use, where we see a domain changed from managed to federated, and the issuer contains any.sts or the issuer suffix is 8 characters, a combination of letters and numbers

//Data connector required for this query - Azure Active Directory - Audit Logs

AuditLogs
| where OperationName == "Set domain authentication"
| extend DomainName = tostring(TargetResources[0].displayName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ActorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend mp=parse_json(TargetResources[0].modifiedProperties)
| mv-apply mp on (
where mp.displayName == "IssuerUri"
| extend Issuer=mp.newValue
)
| extend mp=parse_json(TargetResources[0].modifiedProperties)
| mv-apply mp on (
where mp.displayName == "LiveType"
| extend OldDomainType = mp.oldValue
| extend NewDomainType = mp.newValue
)
| project TimeGenerated, Actor, ActorIPAddress, DomainName, OldDomainType, NewDomainType, Issuer
| parse Issuer with * @'://' Issuer @'"' *
| extend IssuerSuffix = split(Issuer, '/')[-1]
| where OldDomainType has "Managed" and NewDomainType has "Federated"
| where Issuer has "any.sts" or IssuerSuffix matches regex "^[a-zA-Z0-9]{8}$"

Explanation

This query is looking for instances where a domain has changed from managed to federated in Azure Active Directory. It checks if the issuer contains "any.sts" or if the issuer suffix is 8 characters long and consists of letters and numbers. The query retrieves information such as the time generated, actor, actor's IP address, domain name, old domain type, new domain type, and issuer. It uses the Azure Active Directory - Audit Logs data connector.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 16, 2023

Tables

AuditLogs

Keywords

AADInternals,Domain,Managed,Federated,Issuer,any.sts,IssuerSuffix,Combination,Letters,Numbers

Operators

| where=="Set domain authentication" | extendtostringTargetResources[0].displayName | extendtostringparse_jsontostringInitiatedBy.user.userPrincipalName | extendtostringparse_jsontostringInitiatedBy.user.ipAddress | extendparse_jsonTargetResources[0].modifiedProperties | mv-applyonwhere=="IssuerUri" | extendmp.newValue | extendparse_jsonTargetResources[0].modifiedProperties | mv-applyonwhere=="LiveType" | extendmp.oldValue | extendmp.newValue | projectTimeGeneratedActorActorIPAddressDomainNameOldDomainTypeNewDomainTypeIssuer | parsewith* @'://' Issuer @'"' * | extendsplitIssuer'/'[-1] | wherehas"Managed" andhas"Federated" | wherehas"any.sts" ormatches regex"^[a-zA-Z0-9]{8}$"

Actions