Query Details
HQ 010 Federation Config Changes
Query
// =========================================================================
// HQ-010: Domain Federation / Authentication Configuration Changes
// =========================================================================
// Description : Modifying a domain's authentication type (Managed →
// Federated) is the cornerstone of the "Golden SAML" and
// AADInternals federation abuse attacks. Attackers with
// Global Admin privilege can federate a domain with a rogue
// IDP and forge SAML tokens for any user without knowing
// their passwords. Any change here is extremely high-fidelity.
// MITRE ATT&CK: TA0003 Persistence
// T1484.002 – Domain Trust Modification
// TA0005 Defense Evasion
// T1606.002 – Forge Web Credentials: SAML Token
// Tools : AADInternals (ConvertTo-AADIntBackdoor), manual attacker
// Severity : Critical
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(90d)
| where ActivityDisplayName in (
"Set domain authentication",
"Set federation settings on domain",
"Set DirSyncEnabled flag",
"Set Company Information",
"Set federation settings",
"Update domain",
"Verify domain")
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetDomain = tostring(TargetResources[0].displayName)
| extend TargetId = tostring(TargetResources[0].id)
| mv-expand Prop = TargetResources[0].modifiedProperties
| extend PropName = tostring(Prop.displayName)
| extend OldValue = tostring(Prop.oldValue)
| extend NewValue = tostring(Prop.newValue)
| where Result == "success"
| project
TimeGenerated,
Actor,
ActivityDisplayName,
TargetDomain,
TargetId,
PropName,
OldValue,
NewValue,
LoggedByService,
CorrelationId
| order by TimeGenerated desc
Explanation
This query is designed to monitor and detect changes in domain authentication settings within Azure Active Directory, specifically focusing on modifications that could indicate a security threat. Here's a simplified breakdown:
-
Purpose: The query aims to identify changes in domain authentication configurations, which could be exploited in attacks like "Golden SAML" and federation abuse. These changes are critical because they can allow attackers with high-level privileges to manipulate authentication processes and forge credentials.
-
Data Source: It uses the
AuditLogsfrom Azure Active Directory to track these changes. -
Time Frame: The query looks at logs from the past 90 days.
-
Activities Monitored: It filters for specific activities related to domain authentication and federation settings, such as setting domain authentication, updating federation settings, and verifying domains.
-
Details Extracted: For each relevant log entry, it extracts details like:
- The time the change was made (
TimeGenerated). - Who initiated the change (
Actor), whether a user or an application. - The specific activity performed (
ActivityDisplayName). - The domain affected (
TargetDomainandTargetId). - The properties that were modified, including their old and new values (
PropName,OldValue,NewValue).
- The time the change was made (
-
Filtering: It only considers successful changes (
Result == "success"). -
Output: The results are displayed in descending order of time, showing the most recent changes first.
Overall, this query is a critical security measure to detect unauthorized or suspicious changes in domain authentication settings, which could indicate potential security breaches.
Details
David Alonso
Released: April 6, 2026
Tables
Keywords
Operators