Detectionmediumtest

New CA Policy by Non-approved Actor

Monitor and alert on conditional access changes.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Corissa KoopmansCreated Mon Jul 180922467f-db53-4348-b7bf-dee8d0d348c6cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Add conditional access policy
    condition: selection

False Positives

Misconfigured role permissions

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

0922467f-db53-4348-b7bf-dee8d0d348c6

Status

test

Level

medium

Type

Detection

Created

Mon Jul 18

Author

Path

rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.t1548