Azure Conditional Access Policy Modified
Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/01"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to
11resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action
12such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to
13weaken their target's security controls.
14"""
15from = "now-25m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Conditional Access Policy Modified"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"]
24risk_score = 47
25rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
26severity = "medium"
27tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:(azure.activitylogs or azure.auditlogs) and
33event.action:"Update conditional access policy" and event.outcome:(Success or success)
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1098"
41name = "Account Manipulation"
42reference = "https://attack.mitre.org/techniques/T1098/"
43
44
45[rule.threat.tactic]
46id = "TA0003"
47name = "Persistence"
48reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Azure AD Global Administrator Role Assigned