KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Detect New Cross Tenant Setting

Query

//Detect when another Azure AD tenant is added to cross-tenant settings and for each tenant added, retrieve any domain names from your sign in data.
//First retrieve the event where a cross-tenant setting was added

//Data connector required for this query - Azure Active Directory - Audit Logs
//Data connector required for this query - Azure Active Directory - Signin Logs

AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName == "Add a partner to cross-tenant access setting"
| where Result == "success"
| extend GuestTenantId = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, GuestTenantId
//join back to Azure AD sign in logs for the last 30 days to retrieve inbound guest activity
| join kind=inner (
    SigninLogs
    | where TimeGenerated > ago (180d)
    | where UserType == "Guest"
    | where ResultType == 0
    | where AADTenantId != HomeTenantId and HomeTenantId != ResourceTenantId
    //Split all the domains belonging to inbound guest domains and summarize the list per TenantId
    | extend ['Guest Domains'] = split(UserPrincipalName, '@')[-1]
    | summarize ['Guest Domain Names']=make_set(['Guest Domains']) by HomeTenantId)
    //Join back to the audit even where the TenantId from the added setting matches the sign in data
    on $left.GuestTenantId == $right.HomeTenantId
| project-away HomeTenantId

Explanation

This query detects when another Azure AD tenant is added to cross-tenant settings. It retrieves any domain names from the sign-in data for each tenant that is added. It first retrieves the event where a cross-tenant setting was added successfully. Then, it joins the Azure AD sign-in logs for the last 30 days to retrieve inbound guest activity. It splits the domains belonging to inbound guest domains and summarizes the list per TenantId. Finally, it joins back to the audit event where the TenantId from the added setting matches the sign-in data and projects the relevant information.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogsSigninLogs

Keywords

AuditLogs,TimeGenerated,OperationName,Actor,GuestTenantId,SigninLogs,UserType,ResultType,AADTenantId,HomeTenantId,ResourceTenantId,UserPrincipalName,GuestDomains,GuestDomainNames

Operators

whereago==|extendtostringparse_json[0]newValueuserPrincipalNameprojectjoinkind=innerwhereUserTypeResultTypeAADTenantIdHomeTenantIdResourceTenantIdextendsplit[-1]summarizemake_setbyon$left$rightproject-away

Actions