Detectionmediumtest

CA Policy Removed by Non Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Corissa KoopmansCreated Tue Jul 1926e7c5e2-6545-481e-b7e6-050143459635cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Delete conditional access policy
    condition: selection

False Positives

Misconfigured role permissions

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

26e7c5e2-6545-481e-b7e6-050143459635

Status

test

Level

medium

Type

Detection

Created

Tue Jul 19

Author

Path

rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml

Raw Tags

attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556