User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
Sigma rule (View on GitHub)
1title: User Added To Group With CA Policy Modification Access
2id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
3status: test
4description: Monitor and alert on group membership additions of groups that have CA policy modification access
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
7author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
8date: 2022-08-04
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.t1548
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 properties.message: Add member from group
20 condition: selection
21falsepositives:
22 - User removed from the group is approved
23level: medium
References
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- User Removed From Group With CA Policy Modification Access
- Change to Authentication Method
- Github High Risk Configuration Disabled