Azure Conditional Access Policy Modified
Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/01"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to
13resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action
14such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to
15weaken their target's security controls.
16"""
17from = "now-25m"
18index = ["filebeat-*", "logs-azure*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Azure Conditional Access Policy Modified"
22note = """## Setup
23
24The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
25references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"]
26risk_score = 47
27rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
28severity = "medium"
29tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.dataset:(azure.activitylogs or azure.auditlogs) and
35event.action:"Update conditional access policy" and event.outcome:(Success or success)
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1098"
43name = "Account Manipulation"
44reference = "https://attack.mitre.org/techniques/T1098/"
45
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Application Added to Google Workspace Domain