CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Sigma rule (View on GitHub)

 1title: CA Policy Updated by Non Approved Actor
 2id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
 3status: test
 4description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
 7author: Corissa Koopmans, '@corissalea'
 8date: 2022/07/19
 9modified: 2024/05/28
10tags:
11    - attack.defense_evasion
12    - attack.persistence
13    - attack.t1548
14    - attack.t1556
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message: Update conditional access policy
21    condition: selection
22falsepositives:
23    - Misconfigured role permissions
24    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25level: medium

References

Related rules

to-top