Detectionmediumtest

CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Corissa KoopmansCreated Tue Jul 19Updated Tue May 2850a3c7aa-ec29-44a4-92c1-fce229eef6fccloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Update conditional access policy
    condition: selection

False Positives

Misconfigured role permissions

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0006 · Credential Access TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1548 · Abuse Elevation Control Mechanism T1556 · Modify Authentication Process

Rule Metadata

Rule ID

50a3c7aa-ec29-44a4-92c1-fce229eef6fc

Status

test

Level

medium

Type

Detection

Created

Tue Jul 19

Modified

Tue May 28

Author

Corissa Koopmans

Path

rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml

Raw Tags

attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556

View on GitHub