Detectionmediumtest

User Removed From Group With CA Policy Modification Access

Monitor and alert on group membership removal of groups that have CA policy modification access

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Thomas DetznerCreated Thu Aug 04665e2d43-70dc-4ccc-9d27-026c9dd7ed9ccloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Remove member from group
    condition: selection

False Positives

User removed from the group is approved

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

665e2d43-70dc-4ccc-9d27-026c9dd7ed9c

Status

test

Level

medium

Type

Detection

Created

Thu Aug 04

Author

Path

rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml

Raw Tags

attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556