Domain or Tenant Policy Modification: Trust Modification `T1484.002`

Tactics: Defense Impairment, Privilege Escalation

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (22 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventType`	10	`eq` 8, `in` 2	`ADD_TRUSTED_DOMAINS`, `Add-FederatedDomain`, `CreateOpenIDConnectProvider`, `CreateSAMLProvider`, `New-AcceptedDomain`
`data_stream.dataset`	8	`eq` 8	`aws.cloudtrail`, `okta.system`, `azure.auditlogs`, `google_workspace.admin`, `o365.audit`
`Provider_Name`	5	`eq` 5	`iam.amazonaws.com`, `Exchange`, `admin`
`event.outcome`	5	`eq` 5	`success`
`event.category`	3	`eq` 3	`ADMINISTRATOR_MANAGEMENT`, `iam`, `web`
`sourcetype`	3	`eq` 3	`azure:monitor:aad`, `o365:management:activity`
`Operation`	2	`contains` 1, `in` 1	`Add a partner to cross-tenant access setting.`, `Delete partner specific cross-tenant access setting.`, `add`, `domain`, `new`
`operationName`	2	`eq` 2	`Add unverified domain`, `Set domain authentication`
`"properties.result"`	1	`eq` 1	`success`
`Esql.external_idp_new_issuer`	1	`is_not_null` 1
`Esql.external_idp_old_issuer`	1	`is_not_null` 1, `ne` 1	`Esql.external_idp_new_issuer`
`Workload`	1	`eq` 1	`AzureActiveDirectory`
`action`	1	`in` 1	`CreateSAMLIdentityProvider`, `DeleteSAMLIdentityProvider`, `ModifySAMLIdentityProviderGroupMappings`
`azure.auditlogs.properties.category`	1	`eq` 1	`DirectoryManagement`
`azure.auditlogs.properties.target_resources.0.modified_properties.0.display_name`	1	`eq` 1	`FederatedIdentityCredentials`

Top indicator values (52 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.outcome`	`eq`	`success` elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM SAML Provider Updated elasticEntra ID Domain Federation Configuration Change elasticM365 Exchange Federated Domain Created or Modified	5	251
`Provider_Name`	`eq`	`iam.amazonaws.com` elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM SAML Provider Updated	3	25
`Provider_Name`	`eq`	`Exchange` elasticM365 Exchange Federated Domain Created or Modified	1	19
`Provider_Name`	`eq`	`admin` elasticDomain Added to Google Workspace Trusted Domains	1	9
`data_stream.dataset`	`eq`	`aws.cloudtrail` elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM SAML Provider Updated	3	141
`data_stream.dataset`	`eq`	`okta.system` elasticAttempt to Deactivate an Okta Network Zone elasticNew Okta Identity Provider (IdP) Added by Admin	2	48
`sourcetype`	`eq`	`azure:monitor:aad` splunkAzure AD New Custom Domain Added splunkAzure AD New Federated Domain Added	2	47
`"properties.result"`	`eq`	`success` splunkAzure AD New Federated Domain Added	1
`Esql.external_idp_old_issuer`	`ne`	`Esql.external_idp_new_issuer` elasticEntra ID Federated Identity Credential Issuer Modified	1
`EventType`	`eq`	`ADD_TRUSTED_DOMAINS` elasticDomain Added to Google Workspace Trusted Domains	1
`EventType`	`eq`	`CreateOpenIDConnectProvider` elasticAWS IAM OIDC Provider Created by Rare User	1
`EventType`	`eq`	`CreateSAMLProvider` elasticAWS IAM SAML Provider Created	1
`EventType`	`eq`	`UPDATE` pantherZIA Trust Modification	1	3
`EventType`	`eq`	`Update application` elasticEntra ID Federated Identity Credential Issuer Modified	1
`EventType`	`eq`	`UpdateSAMLProvider` elasticAWS IAM SAML Provider Updated	1
`EventType`	`eq`	`system.idp.lifecycle.create` elasticNew Okta Identity Provider (IdP) Added by Admin	1
`EventType`	`eq`	`zone.deactivate` elasticAttempt to Deactivate an Okta Network Zone	1
`EventType`	`in`	`Add-FederatedDomain` elasticM365 Exchange Federated Domain Created or Modified	1
`EventType`	`in`	`New-AcceptedDomain` elasticM365 Exchange Federated Domain Created or Modified	1
`EventType`	`in`	`Remove-AcceptedDomain` elasticM365 Exchange Federated Domain Created or Modified	1
`EventType`	`in`	`Remove-FederatedDomain` elasticM365 Exchange Federated Domain Created or Modified	1
`EventType`	`in`	`Set domain authentication` elasticEntra ID Domain Federation Configuration Change	1
`EventType`	`in`	`Set federation settings on domain` elasticEntra ID Domain Federation Configuration Change	1
`EventType`	`in`	`Set-AcceptedDomain` elasticM365 Exchange Federated Domain Created or Modified	1
`EventType`	`in`	`Set-MsolDomainFederationSettings` elasticM365 Exchange Federated Domain Created or Modified	1
`Operation`	`contains`	`add` sigmaNew Federated Domain Added	1
`Operation`	`contains`	`domain` sigmaNew Federated Domain Added	1	2
`Operation`	`contains`	`new` sigmaNew Federated Domain Added	1
`Operation`	`in`	`Add a partner to cross-tenant access setting.` splunkO365 Cross-Tenant Access Change	1
`Operation`	`in`	`Delete partner specific cross-tenant access setting.` splunkO365 Cross-Tenant Access Change	1

Exclusions (2 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`aws::sourceIPAddress`	`eq`	`sso.amazonaws.com` elasticAWS IAM SAML Provider Updated	1
`aws::userAgent`	`eq`	`sso.amazonaws.com` elasticAWS IAM SAML Provider Updated	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Domain or Tenant Policy Modification: Trust Modification `T1484.002`

Authoring guide

Fields filtered most (22 distinct)

Top indicator values (52 distinct)

Exclusions (2 distinct)

Rules under this technique

Sigma 1 rule

Elastic 9 rules

Splunk 3 rules

Panther 2 rules

Keyboard shortcuts

Search operators

Domain or Tenant Policy Modification: Trust Modification T1484.002

Authoring guide

Fields filtered most (22 distinct)

Top indicator values (52 distinct)

Exclusions (2 distinct)

Rules under this technique

Sigma 1 rule

Elastic 9 rules

Splunk 3 rules

Panther 2 rules

Domain or Tenant Policy Modification: Trust Modification `T1484.002`