Update Of Authentication Methods Policy
Query
AuditLogs
| where OperationName == "Authentication Methods Policy Update" and LoggedByService == "Authentication Methods"
| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddressExplanation
This query is designed to identify when the Authentication Methods Policy has been updated. It looks for audit logs in the Azure Active Directory connector where the OperationName is "Authentication Methods Policy Update" and the LoggedByService is "Authentication Methods". It then extracts information about the user or app that initiated the update, including their user principal name or display name and their IP address. The query also maps the extracted information to the Account and IP entities for further analysis. The query runs once a day and looks at data from the past day. The severity of this query is informational, and it is relevant to the CredentialAccess and InitialAccess tactics, as well as the T1110 and T1078 techniques.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
InformationalTactics
Frequency: 1d
Period: 1d