Dec 22 2020 06:16 AM
In reading this excellent write-up from Microsoft threat analytics:
It includes this threat hunting query for MS 365 to detect changes in domain federation trust settings:
let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." | extend targetDetails = parse_json(ActivityObjects[1]) | extend targetDisplayName = targetDetails.Name | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent
But I can't create a detection rule for it. Even if you add "ReportID" to the last line, attempting to create a detection rule throws the error Can't save detection rule Your query must return a column with impacted users, devices, or mailboxes.
How can I create a detection rule based on this query so I can get alerts?