Try in Splunk Security Cloud


This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-26
  • Author: Rod Soto, Splunk
  • ID: b2c81cc6-6040-11eb-ae93-0242ac130002


ID Technique Tactic
T1136.003 Cloud Account Persistence
T1136 Create Account Persistence
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." 
| stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by ActorIpAddress dest ResultStatus 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `o365_add_app_role_assignment_grant_user_filter`

Associated Analytic Story

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Workload
  • Operation
  • Actor{}.ID
  • Actor{}.Type
  • ActorIpAddress
  • dest
  • ResultStatus

Kill Chain Phase

  • Actions on Objective

Known False Positives

The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.


Risk Score Impact Confidence Message
18.0 30 60 User $Actor.ID$ has created a new federation setting on $dest$ from IP Address $ActorIpAddress$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1