Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Entra ID Audit schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
Entra ID Federation Trust Modification, generated by CloudSigma and validated against the Sentinel dialect.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: Entra ID Federation Trust Modification
id: 0b1c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: >
Detects modification of federation trust settings in Entra ID.
Adding or updating a federated identity provider lets the
attacker mint SAML/OIDC tokens for any user in the tenant — the
AAD Golden SAML / Magic Web pattern. Earlier versions of this
rule looked at properties.targetResources[].displayName for
literal type names, but Entra audit logs expose this signal in
properties.activityDisplayName instead. The displayName field
typically carries the actual domain name.
author: CloudSigma
date: 2026-04-24
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.category:
- DirectoryManagement
- ApplicationManagement
properties.result: success
selection_federation_activity:
properties.activityDisplayName|contains:
- Set domain authentication
- Set federation settings on domain
- Add identity provider
- Update identity provider
- Add unverified domain
condition: selection and selection_federation_activity
falsepositives:
- Documented federation configuration with a new partner organization
- Migration between identity providers under change control
- Re-verification of a domain after DNS changes
fields:
- properties.activityDisplayName
- properties.initiatedBy.user.userPrincipalName
- properties.initiatedBy.app.displayName
- properties.targetResources
level: critical