User Removed From Group With CA Policy Modification Access

 1title: User Removed From Group With CA Policy Modification Access
 2id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
 3status: test
 4description: Monitor and alert on group membership removal of groups that have CA policy modification access
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
 7author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
 8date: 2022/08/04
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.t1548
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        properties.message: Remove member from group
20    condition: selection
21falsepositives:
22    - User removed from the group is approved
23level: medium

References

• Microsoft Entra security operations for infrastructure - Microsoft Entra

  

  Learn how to monitor and alert on infrastructure components to identify security threats.

  
  Read More

Related rules

• CA Policy Removed by Non Approved Actor
• CA Policy Updated by Non Approved Actor
• User Added To Group With CA Policy Modification Access
• Change to Authentication Method
• Abuse of Service Permissions to Hide Services Via Set-Service