Detects possible addition of shadow credentials to an active directory object.
Detects when a user disables a critical security feature for an organization.
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
Monitor and alert on group membership additions of groups that have CA policy modification access
Monitor and alert on group membership removal of groups that have CA policy modification access
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.