CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
Sigma rule (View on GitHub)
1title: CA Policy Removed by Non Approved Actor
2id: 26e7c5e2-6545-481e-b7e6-050143459635
3status: test
4description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
7author: Corissa Koopmans, '@corissalea'
8date: 2022-07-19
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.t1548
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 properties.message: Delete conditional access policy
20 condition: selection
21falsepositives:
22 - Misconfigured role permissions
23 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24level: medium
References
Related rules
- CA Policy Updated by Non Approved Actor
- User Added To Group With CA Policy Modification Access
- User Removed From Group With CA Policy Modification Access
- Change to Authentication Method
- Github High Risk Configuration Disabled