← Back to Explore
sigmamediumHunting
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
Detection Query
selection:
properties.message: Add member from group
condition: selection
Author
Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
Created
2022-08-04
Data Sources
azureauditlogs
Platforms
azure
Tags
attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556
Raw Content
title: User Added To Group With CA Policy Modification Access
id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
status: test
description: Monitor and alert on group membership additions of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium