Skip to content

Create azure_ad_cross_tenant_b2b_collab_signin.yml #5233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Create azure_ad_cross_tenant_b2b_collab_signin.yml #5233

wants to merge 2 commits into from

Conversation

whichbuffer
Copy link
Contributor

Summary of the Pull Request

This PR introduces a new Sigma rule to detect suspicious sign-in activity involving cross-tenant B2B collaboration in Azure environments. This behavior could indicate potential lateral movement using a newly provisioned account.

Changelog

new: Suspicious Sign-In with Cross-Tenant B2B Collaboration

Example Log Event

{
    "id": "b5f1a2cd-34e6-44df-bb75-2d9f5e83c6a7",
    "createdDateTime": "2025-03-15T12:34:56Z",
    "userDisplayName": "John Doe",
    "userPrincipalName": "[email protected]",
    "userId": "a3b1c2d3-45e6-78f9-0123-456789abcdef",
    "appId": "00000003-0000-0000-c000-000000000000",
    "appDisplayName": "Microsoft Teams",
    "ipAddress": "192.168.1.10",
    "clientAppUsed": "Browser",
    "authenticationRequirementPolicies": [],
    "authenticationProcessingDetails": [],
    "authenticationDetails": [],
    "authenticationRequirement": "singleFactorAuthentication",
    "conditionalAccessStatus": "notApplied",
    "correlationId": "78912345-6789-4abc-bdef-0123456789ab",
    "createdDateTime": "2025-03-15T12:34:56Z",
    "deviceDetail": {
        "deviceId": "d6f1a2cd-23e6-44df-bb75-2d9f5e83c6a7",
        "displayName": "DESKTOP-EXTERNAL",
        "operatingSystem": "Windows 11",
        "browser": "Chrome 123"
    },
    "location": {
        "city": "Amsterdam",
        "state": "Noord-Holland",
        "countryOrRegion": "Netherlands",
        "geoCoordinates": {
            "latitude": 52.3676,
            "longitude": 4.9041
        }
    },
    "riskDetail": "none",
    "riskLevelAggregated": "low",
    "riskLevelDuringSignIn": "low",
    "riskState": "none",
    "status": {
        "errorCode": 0,
        "failureReason": "None",
        "additionalDetails": "None"
    },
    "resourceDisplayName": "Microsoft Teams",
    "resourceId": "b3c5e7f1-234d-45ab-bcde-67890abcdef1",
    "mfaDetail": {
        "authMethod": "None",
        "completedSuccessfully": false
    },
    "isInteractive": true,
    "tokenIssuerName": "sts.windows.net",
    "tokenIssuerType": "AzureAD",
    "networkLocationDetails": [],
    "homeTenantId": "12345678-90ab-cdef-1234-567890abcdef",
    "homeTenantName": "External Partner Organization",
    "crossTenantAccessType": "b2bCollaboration",
    "authenticationProtocol": "OAuth2.0"
}

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label Mar 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@whichbuffer