Query Details

Change Conditional Access Policy

Conditional Access Change Policy

Query

AuditLogs
| where OperationName == "Update conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResources

About this query

Change Conditional Access Policy

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1556Modify Authentication Processhttps://attack.mitre.org/techniques/T1556/

Description

This KQL query lists all conditional access policies that have been changed. The modification of authentication processes can be used to create persistence on an cloud account.

Risk

Adveries can update CA policies to get persistence by removing the necessary strong authentication mechanisms for a account.

References

Sentinel

Explanation

This KQL query is designed to monitor changes to conditional access policies in a cloud environment, specifically within Azure Active Directory. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the AuditLogs, which records various activities and changes within the system.

  2. Filter: The query filters for logs where the operation performed is "Update conditional access policy". This means it's specifically looking for instances where conditional access policies have been modified.

  3. Extract Information: For each of these instances, it extracts and displays:

    • TimeGenerated: The timestamp of when the change occurred.
    • Actor: The user who initiated the change, identified by their user principal name.
    • DeletedPolicy: The name of the policy that was changed.
    • TargetResources: Additional details about the resources affected by the change.
  4. Purpose: The query helps identify potential security risks by tracking changes to authentication processes. Adversaries might modify these policies to weaken security measures, such as removing strong authentication requirements, to maintain unauthorized access to accounts.

  5. Relevance: This activity is associated with the MITRE ATT&CK technique T1556, which involves modifying authentication processes to create persistence in a system.

Overall, this query is a security measure to detect and respond to unauthorized or suspicious changes in conditional access policies, which are crucial for maintaining secure access controls in a cloud environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AuditLogs

Keywords

AuditLogsOperationNameTargetResourcesActorUserTimeGeneratedPolicy

Operators

whereextendproject

MITRE Techniques

Actions

GitHub