title: New Federated Domain Added
id: 42127bdd-9133-474f-a6f1-97b6c08a4339
status: test
description: Alert for the addition of a new federated domain.
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
    - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
    - https://www.sygnia.co/golden-saml-advisory
    - https://o365blog.com/post/aadbackdoor/
author: '@ionsor'
date: 2022/02/08
tags:
    - attack.persistence
    - attack.t1136.003
logsource:
    service: exchange
    product: m365
detection:
    selection:
        eventSource: Exchange
        eventName: 'Add-FederatedDomain'
        status: success
    condition: selection
falsepositives:
    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium