sigmamediumHunting

CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

MITRE ATT&CK

T1548 T1556

privilege-escalationcredential-accessdefense-evasionpersistence

Detection Query

selection:
  properties.message: Update conditional access policy
condition: selection

Author

Corissa Koopmans, '@corissalea'

Created

2022-07-19

Data Sources

azureauditlogs

Platforms

azure

References

https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access

Tags

attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556

Raw Content

title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
modified: 2024-05-28
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.defense-evasion
    - attack.persistence
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium