Multi-tenant access allows accounts from any Active Directory or even personal accounts to access an application, rather than only those from one specific directory. You might need to see which applications have been switched to multi-tenancy when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
Your company uses SolarWinds Orion business software, which suffered the Sunburst Backdoor attack. You want to identify any lateral movement associated with attack by seeing if any applications have been opened up to multi-tenancy.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="azure:aad:audit" activityDisplayName="Update application" operationType=Update
result=success targetResources{}.modifiedProperties{}.displayName=AvailableToOtherTenants
| table activityDateTime initiatedBy.user.userPrincipalName
targetResources{}.displayName additionalDetails{}.value
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype="azure:aad:audit" |
Search only Azure Active Directory audit data. |
activityDisplayName="Update application" |
Search for the "update application" action. |
operationType=Update result=success targetResources{}.modifiedProperties{}.displayName=AvailableToOtherTenants |
Search for updates that successfully made a resource available to other tenants. |
| table activityDateTime initiatedBy.user.userPrincipalName targetResources{}.displayName additionalDetails{}.value |
Display the results in a table with columns in the order shown. |
Result
The Microsoft Azure Add-on for Splunk has additional searches and pre-built security content for Azure data that can help you interpret these results and take additional steps to resolve security concerns related to application switching to Active Directory multi-tenant access.
Comments
0 comments
Please sign in to leave a comment.