Query Details
DCA Detect AAD Internals Use
Query
//Detect AADInternals use, where we see a domain changed from managed to federated, and the issuer contains any.sts or the issuer suffix is 8 characters, a combination of letters and numbers
//Data connector required for this query - M365 Defender - CloudAppEvents
CloudAppEvents
| where ActionType == "Set domain authentication."
| extend Actor = tostring(RawEventData.UserId)
| extend mp=parse_json(RawEventData.ModifiedProperties)
| extend DomainName = tostring(parse_json(tostring(RawEventData.Target))[0].ID)
| mv-apply mp on (
where mp.Name == "IssuerUri"
| extend Issuer=mp.NewValue
)
| extend mp=parse_json(RawEventData.ModifiedProperties)
| mv-apply mp on (
where mp.Name == "LiveType"
| extend OldDomainType = mp.OldValue
| extend NewDomainType = mp.NewValue
)
| project TimeGenerated, Actor, DomainName, OldDomainType, NewDomainType, Issuer
| parse Issuer with * @'://' Issuer @'"' *
| extend IssuerSuffix = split(Issuer, '/')[-1]
| where OldDomainType has "Managed" and NewDomainType has "Federated"
| where Issuer has "any.sts" or IssuerSuffix matches regex "^[a-zA-Z0-9]{8}$"
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
CloudAppEvents
| where ActionType == "Set domain authentication."
| extend Actor = tostring(RawEventData.UserId)
| extend mp=parse_json(RawEventData.ModifiedProperties)
| extend DomainName = tostring(parse_json(tostring(RawEventData.Target))[0].ID)
| mv-apply mp on (
where mp.Name == "IssuerUri"
| extend Issuer=mp.NewValue
)
| extend mp=parse_json(RawEventData.ModifiedProperties)
| mv-apply mp on (
where mp.Name == "LiveType"
| extend OldDomainType = mp.OldValue
| extend NewDomainType = mp.NewValue
)
| project Timestamp, Actor, DomainName, OldDomainType, NewDomainType, Issuer
| parse Issuer with * @'://' Issuer @'"' *
| extend IssuerSuffix = split(Issuer, '/')[-1]
| where OldDomainType has "Managed" and NewDomainType has "Federated"
| where Issuer has "any.sts" or IssuerSuffix matches regex "^[a-zA-Z0-9]{8}$"Explanation
This query is used to detect the use of AADInternals in Microsoft 365 Defender. It looks for instances where a domain changes from managed to federated authentication. It also checks if the issuer contains "any.sts" or if the issuer suffix is 8 characters long and consists of letters and numbers. The query retrieves information such as the timestamp, actor, domain name, old domain type, new domain type, and issuer. It can be executed using either the CloudAppEvents data connector or the Advanced Hunting license.
Details
Matt Zorich
Released: June 16, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,ActionType,Setdomainauthentication,Actor,RawEventData,UserId,ModifiedProperties,DomainName,Target,IssuerUri,Issuer,LiveType,OldDomainType,NewDomainType,TimeGenerated,IssuerSuffix,Managed,Federated,any.sts,regex,AdvancedHunting,Timestamp
Operators
| whereextendparse_jsonmv-applyprojectsplitmatches regexhas