Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance. Usually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Azure Activity |
| ID | d9938c3b-16f9-444d-bc22-ea9a9110e0fd |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess, DefenseEvasion |
| Techniques | T1528, T1550 |
| Required Connectors | AzureActivity |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AzureActivity |
CategoryValue == "Administrative"ResourceProviderValue == "Microsoft.ADHybridHealthService"_ResourceId has "AdFederationService" |
✗ | ✗ | ✗ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊