Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert
The following rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
New CA Policy by Non-Approved Actor |
Monitor and alert on conditional access changes. More details
Rule IDQuery{'selection': {'properties_message': 'Add conditional access policy'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,0922467f-db53-4348-b7bf-dee8d0d348c6 Author: Corissa Koopmans, '@corissalea' Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
CA Policy Updated by Non-Approved Actor |
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. More details
Rule IDQuery{'keywords': {'properties_message': 'Update conditional access policy'}, 'condition': 'keywords'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,50a3c7aa-ec29-44a4-92c1-fce229eef6fc Author: Corissa Koopmans, '@corissalea' Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
User Added to Group with CA Policy Modification Access |
Monitor and alert on group membership additions of groups that have CA policy modification access More details
Rule IDQuery{'selection': {'properties_message': 'Add member from group'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,91c95675-1f27-46d0-bead-d1ae96b97cd3 Author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
CA Policy Removed by Non-Approved Actor |
Monitor and alert on conditional access changes where non approved actor removed CA Policy. More details
Rule IDQuery{'selection': {'properties_message': 'Delete conditional access policy'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,26e7c5e2-6545-481e-b7e6-050143459635 Author: Corissa Koopmans, '@corissalea' Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|