Creating a detection rule for CloudAppEvents (#Solorigate)

Occasional Contributor

In reading this excellent write-up from Microsoft threat analytics:

https://securitycenter.windows.com/threatanalytics3/2b74f636-146e-48dd-94f6-5cb5132467ca/analystrepo...

 

It includes this threat hunting query for MS 365 to detect changes in domain federation trust settings:

 

let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." | extend targetDetails = parse_json(ActivityObjects[1]) | extend targetDisplayName = targetDetails.Name | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

 

But I can't create a detection rule for it.  Even if you add "ReportID" to the last line, attempting to create a detection rule throws the error Can't save detection rule Your query must return a column with impacted users, devices, or mailboxes.

  

How can I create a detection rule based on this query so I can get alerts?

0 Replies