Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert

The following rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

New CA Policy by Non-approved Actor

Monitor and alert on conditional access changes.

More details

Rule ID

azure_28

Query

{'selection': {'properties_message': 'Add conditional access policy'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,0922467f-db53-4348-b7bf-dee8d0d348c6

Author: Corissa Koopmans, '@corissalea'

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1556

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/07/18	medium	Misconfigured role permissions Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

More details

Rule ID

azure_29

Query

{'keywords': {'properties_message': 'Update conditional access policy'}, 'condition': 'keywords'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,50a3c7aa-ec29-44a4-92c1-fce229eef6fc

Author: Corissa Koopmans, '@corissalea'

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1548, T1556

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/07/19	medium	Misconfigured role permissions Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

User Added To Group With CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

More details

Rule ID

azure_30

Query

{'selection': {'properties_message': 'Add member from group'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,91c95675-1f27-46d0-bead-d1ae96b97cd3

Author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1548, T1556

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/08/04	medium	User removed from the group is approved

CA Policy Removed by Non Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

More details

Rule ID

azure_31

Query

{'selection': {'properties_message': 'Delete conditional access policy'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,26e7c5e2-6545-481e-b7e6-050143459635

Author: Corissa Koopmans, '@corissalea'

Tactics, Techniques, and Procedures

DEFENSE_EVASION, T1548, T1556

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/07/19	medium	Misconfigured role permissions Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.