CA Policy Removed by Non Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Sigma rule (View on GitHub)

 1title: CA Policy Removed by Non Approved Actor
 2id: 26e7c5e2-6545-481e-b7e6-050143459635
 3status: test
 4description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
 7author: Corissa Koopmans, '@corissalea'
 8date: 2022/07/19
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.t1548
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        properties.message: Delete conditional access policy
20    condition: selection
21falsepositives:
22    - Misconfigured role permissions
23    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24level: medium

References

Related rules

to-top