Change Conditional Access Policy
Conditional Access Change Policy
Query
AuditLogs
| where OperationName == "Update conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResourcesAbout this query
Change Conditional Access Policy
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1556 | Modify Authentication Process | https://attack.mitre.org/techniques/T1556/ |
Description
This KQL query lists all conditional access policies that have been changed. The modification of authentication processes can be used to create persistence on an cloud account.
Risk
Adveries can update CA policies to get persistence by removing the necessary strong authentication mechanisms for a account.
References
- https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
Sentinel
Explanation
This KQL query is designed to monitor changes to conditional access policies in a cloud environment, specifically within Azure Active Directory. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from the
AuditLogs, which records various activities and changes within the system. -
Filter: The query filters for logs where the operation performed is "Update conditional access policy". This means it's specifically looking for instances where conditional access policies have been modified.
-
Extract Information: For each of these instances, it extracts and displays:
TimeGenerated: The timestamp of when the change occurred.Actor: The user who initiated the change, identified by their user principal name.DeletedPolicy: The name of the policy that was changed.TargetResources: Additional details about the resources affected by the change.
-
Purpose: The query helps identify potential security risks by tracking changes to authentication processes. Adversaries might modify these policies to weaken security measures, such as removing strong authentication requirements, to maintain unauthorized access to accounts.
-
Relevance: This activity is associated with the MITRE ATT&CK technique T1556, which involves modifying authentication processes to create persistence in a system.
Overall, this query is a security measure to detect and respond to unauthorized or suspicious changes in conditional access policies, which are crucial for maintaining secure access controls in a cloud environment.
