CA Policy Removed by Non Approved Actor

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.t1548 attack.t1556 ·

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Sigma rule (View on GitHub)

 1title: CA Policy Removed by Non Approved Actor
 2id: 26e7c5e2-6545-481e-b7e6-050143459635
 3status: test
 4description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
 7author: Corissa Koopmans, '@corissalea'
 8date: 2022/07/19
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.t1548
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        properties.message: Delete conditional access policy
20    condition: selection
21falsepositives:
22    - Misconfigured role permissions
23    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24level: medium

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Learn how to monitor and alert on infrastructure components to identify security threats.

Read More

CA Policy Removed by Non Approved Actor

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Related rules