User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
Sigma rule (View on GitHub)
1title: User Removed From Group With CA Policy Modification Access
2id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
3status: test
4description: Monitor and alert on group membership removal of groups that have CA policy modification access
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
7author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
8date: 2022-08-04
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.t1548
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 properties.message: Remove member from group
20 condition: selection
21falsepositives:
22 - User removed from the group is approved
23level: medium
References
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- User Added To Group With CA Policy Modification Access
- Change to Authentication Method
- Github High Risk Configuration Disabled