Creating a detection rule for CloudAppEvents (#Solorigate)

%3CLINGO-SUB%20id%3D%22lingo-sub-2009477%22%20slang%3D%22en-US%22%3ECreating%20a%20detection%20rule%20for%20CloudAppEvents%20(%23Solorigate)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2009477%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20reading%20this%20excellent%20write-up%20from%20Microsoft%20threat%20analytics%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2F2b74f636-146e-48dd-94f6-5cb5132467ca%2Fanalystreport%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2F2b74f636-146e-48dd-94f6-5cb5132467ca%2Fanalystreport%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20includes%20this%20threat%20hunting%20query%20for%20MS%20365%20to%20detect%20changes%20in%20domain%20federation%20trust%20settings%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Elet%20auditLookback%20%3D%201d%3B%20CloudAppEvents%20%7C%20where%20Timestamp%20%26gt%3B%20ago(auditLookback)%20%7C%20where%20ActionType%20%3D~%20%22Set%20federation%20settings%20on%20domain.%22%20%7C%20extend%20targetDetails%20%3D%20parse_json(ActivityObjects%5B1%5D)%20%7C%20extend%20targetDisplayName%20%3D%20targetDetails.Name%20%7C%20extend%20resultStatus%20%3D%20extractjson(%22%24.ResultStatus%22%2C%20tostring(RawEventData)%2C%20typeof(string))%20%7C%20project%20Timestamp%2C%20ActionType%2C%20InitiatingUserOrApp%3DAccountDisplayName%2C%20targetDisplayName%2C%20resultStatus%2C%20InitiatingIPAddress%3DIPAddress%2C%20UserAgent%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20I%20can't%20create%20a%20detection%20rule%20for%20it.%26nbsp%3B%20Even%20if%20you%20add%20%22ReportID%22%20to%20the%20last%20line%2C%20attempting%20to%20create%20a%20detection%20rule%20throws%20the%20error%20Can't%20save%20detection%20rule%26nbsp%3BYour%20query%20must%20return%20a%20column%20with%20impacted%20users%2C%20devices%2C%20or%20mailboxes.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20can%20I%20create%20a%20detection%20rule%20based%20on%20this%20query%20so%20I%20can%20get%20alerts%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

In reading this excellent write-up from Microsoft threat analytics:

https://securitycenter.windows.com/threatanalytics3/2b74f636-146e-48dd-94f6-5cb5132467ca/analystrepo...

 

It includes this threat hunting query for MS 365 to detect changes in domain federation trust settings:

 

let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." | extend targetDetails = parse_json(ActivityObjects[1]) | extend targetDisplayName = targetDetails.Name | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

 

But I can't create a detection rule for it.  Even if you add "ReportID" to the last line, attempting to create a detection rule throws the error Can't save detection rule Your query must return a column with impacted users, devices, or mailboxes.

  

How can I create a detection rule based on this query so I can get alerts?

0 Replies