IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Command Execution on Virtual Machine Azure Diagnostic Settings Deletion »

› › ›

Azure Conditional Access Policy Modified

edit

Azure Conditional Access Policy Modified

edit

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

filebeat-*
logs-azure*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Tags:

Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Setup

edit

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:(azure.activitylogs or azure.auditlogs) and
event.action:"Update conditional access policy" and event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« Azure Command Execution on Virtual Machine Azure Diagnostic Settings Deletion »