This detection rule identifies the creation or modification of federation domains in Office 365 (O365), which serve as trust relationships between O365 and external identity providers. Adversaries may exploit federation domain settings to redirect authentication flows, leading to unauthorized access. This rule actively monitors logs for specific modifications such as 'Set-AcceptedDomain' or 'Add-FederatedDomain'. By investigating these events, analysts can determine if any privilege escalation attempts have occurred. The investigation process includes reviewing event logs to pinpoint changes, validating the legitimacy of user accounts involved, ensuring recent modifications align with administrative requests, examining the context of these changes, and correlating with other security alerts. The response protocol involves immediate remediation actions to disable any unauthorized federation domains, auditing access logs, and updating policies to enhance future security against such threats. False positives may arise from routine administrative actions or legitimate service integrations, so it is crucial to document and adjust monitoring practices accordingly.