Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Creating a detection rule for CloudAppEvents (#Solorigate)

Copper Contributor

In reading this excellent write-up from Microsoft threat analytics:


It includes this threat hunting query for MS 365 to detect changes in domain federation trust settings:


let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." | extend targetDetails = parse_json(ActivityObjects[1]) | extend targetDisplayName = targetDetails.Name | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent


But I can't create a detection rule for it.  Even if you add "ReportID" to the last line, attempting to create a detection rule throws the error Can't save detection rule Your query must return a column with impacted users, devices, or mailboxes.


How can I create a detection rule based on this query so I can get alerts?

0 Replies