CA Policy Updated by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Sigma rule (View on GitHub)

 1title: CA Policy Updated by Non Approved Actor
 2id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
 3status: test
 4description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
 7author: Corissa Koopmans, '@corissalea'
 8date: 2022-07-19
 9modified: 2024-05-28
10tags:
11    - attack.privilege-escalation
12    - attack.credential-access
13    - attack.defense-evasion
14    - attack.persistence
15    - attack.t1548
16    - attack.t1556
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Update conditional access policy
23    condition: selection
24falsepositives:
25    - Misconfigured role permissions
26    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
27level: medium

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Learn how to monitor and alert on infrastructure components to identify security threats.

Read More

CA Policy Updated by Non Approved Actor

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Related rules