[New Rule] Entra ID Added or Modified External Authentication Method #4905
Description
Summary
Add detection coverage for adding or modifying an external authentication method (EAM) to Entra ID. This method can be done to establish a backdoor or further persistence for authentication & authorization based on MSFT's implementation of OIDC and respective checks for EAM. Detection relies solely on Microsoft Graph Activity Logs where specific requests are made to add or modify EAM. While federated identity is not uncommon, the use of EAM is relatively newer in Entra ID as it was done before via custom access (CA) policies. However, it can be abused to add a third-party IdP in the OIDC workflow which would then act as an AiTM between the user and authorization server (Entra ID) where the IdP could handle MFA requirements.
event.dataset: azure.graphactivitylogs and url.path: *authenticationMethodsPolicy* and http.request.method: "PATCH"
ref: https://www.youtube.com/watch?v=eKFgOtNpxwU
ref: https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/