This rule detects critical Entra ID (Azure AD) domain federation configuration changes by monitoring Microsoft Entra ID Audit Logs. It triggers when a domain federation or domain authentication setting is added or modified, which is typically performed via the Microsoft Graph API or the Azure portal. Domain federation delegates authentication for a UPN suffix to an external IdP. Malicious actors with elevated privileges can abuse this to forge SAML/WS-Federation tokens (Golden SAML), enabling persistent access across all users of the federated domain and bypassing MFA and conditional access. The rule targets events where a federation configuration is changed successfully (e.g., Set domain authentication or Set federation settings on domain) and correlates related events using a correlation_id to establish the full attack chain. It maps to MITRE ATT&CK techniques for Domain/Tenant Policy Modification and Account Manipulation (including Additional Cloud Credentials), highlighting a high-risk, high-blast-radius persistence path. The rule relies on Azure Entra ID Audit Logs integration, specifically DirectoryManagement events, and requires subsequent investigation to retrieve federation configuration details via Graph API (which are not logged in the event properties). Investigation steps include identifying who performed the change, the target domain, correlating companion events, reviewing issuer URI and signing certificates, and checking for precursor events indicating a broader attack chain. False positives may include legitimate IT administration during migrations or maintenance. Remediation guidance includes removing unauthorized federation, reverting the domain to a non-federated configuration, revoking active sessions, auditing sign-ins for the affected domain, and tightening access controls (e.g., Privileged Identity Management) and policies governing domain federation changes. This rule emphasizes rapid detection, thorough investigation, and robust post-incident containment for a technique known to be used by advanced threat actor campaigns.