CA Policy Removed by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Sigma rule (View on GitHub)

 1title: CA Policy Removed by Non Approved Actor
 2id: 26e7c5e2-6545-481e-b7e6-050143459635
 3status: test
 4description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
 7author: Corissa Koopmans, '@corissalea'
 8date: 2022-07-19
 9tags:
10    - attack.privilege-escalation
11    - attack.credential-access
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.t1548
15    - attack.t1556
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        properties.message: Delete conditional access policy
22    condition: selection
23falsepositives:
24    - Misconfigured role permissions
25    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26level: medium

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Learn how to monitor and alert on infrastructure components to identify security threats.

Read More

CA Policy Removed by Non Approved Actor

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Related rules