CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
Sigma rule (View on GitHub)
1title: CA Policy Updated by Non Approved Actor
2id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
3status: test
4description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
7author: Corissa Koopmans, '@corissalea'
8date: 2022/07/19
9tags:
10 - attack.defense_evasion
11 - attack.persistence
12 - attack.t1548
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 keywords:
19 - Update conditional access policy
20 condition: keywords
21falsepositives:
22 - Misconfigured role permissions
23 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
24level: medium
References
Related rules
- CA Policy Removed by Non Approved Actor
- User Added To Group With CA Policy Modification Access
- User Removed From Group With CA Policy Modification Access
- Change to Authentication Method
- Abuse of Service Permissions to Hide Services Via Set-Service