Deletion Conditional Access Policy
Conditional Access Delete Policy
Query
AuditLogs
| where OperationName == "Delete conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResourcesAbout this query
Deletion Conditional Access Policy
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1556 | Modify Authentication Process | https://attack.mitre.org/techniques/T1556/ |
Description
This KQL query lists all conditional access policies that have been deleted. The modification of authentication processes can be used to create persistence on an cloud account.
Risk
Adveries can delete CA policies to get persistence.
References
- https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
Sentinel
Explanation
This KQL query is designed to identify and list all instances where conditional access policies have been deleted in a cloud environment. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
AuditLogstable, which contains logs of various operations performed in the system. -
Filter: The query specifically looks for log entries where the operation name is "Delete conditional access policy". This means it is filtering out all other operations and focusing only on deletions of conditional access policies.
-
Extract Information: For each deletion event, the query extracts:
DeletedPolicy: The name of the conditional access policy that was deleted.Actor: The user who initiated the deletion, identified by their user principal name.
-
Output: It projects (or displays) the following information for each deletion event:
TimeGenerated: The timestamp of when the deletion occurred.Actor: The user who deleted the policy.DeletedPolicy: The name of the deleted policy.TargetResources: Additional details about the resources targeted by the operation.
In summary, this query helps security teams monitor and investigate any unauthorized or suspicious deletions of conditional access policies, which could be a tactic used by adversaries to maintain access or persistence in a cloud environment.
