What Changed
Three new hunting queries focused on Entra ID post-compromise activity that degrades security controls or establishes covert persistence through timing-based evasion and federation manipulation.
Detection Logic
All queries use AuditLogs table exclusively and include Account/IP entity mappings:
PIM Role Activation Outside Business Hours: Surfaces PIM role activations during weekends or outside configurable business hours (default 07:00-20:00 UTC). Primary logic joins against successful RoleManagement operations for PIM activation events and filters by time-based anomalies.
Named Location Deleted/Modified: Identifies Add/Update/Delete operations on Entra ID named locations under Policy category. Targets silent Conditional Access weakening where attackers modify IP range or country definitions rather than disabling CA policies directly.
Federated Domain Added: Surfaces “Set domain authentication” operations where domains transition to federated authentication. Filters for NewValue containing “Federated” to catch Golden SAML preparation attacks.
MITRE Mapping
- T1078.004 (Cloud Accounts): PIM activation outside business hours
- T1562.001 (Disable Security Tools): Named location manipulation
- T1484.002 (Trust Modification): Domain federation changes for Golden SAML
Affected Files
Hunting Queries/AuditLogs/FederatedDomainAddedToTenant.yaml
Hunting Queries/AuditLogs/NamedLocationDeletedOrModified.yaml
Hunting Queries/AuditLogs/PIMRoleActivationOutsideBusinessHours.yaml