Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A new Conditional Access policy was created

Conditional Access - A new Conditional Access policy was created

Back
Id0459a1b5-909d-4783-9e27-24536b05a47f
RulenameConditional Access - A new Conditional Access policy was created
DescriptionA new Conditional Access policy was created in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A new Conditional Access policy was created.yaml
Version1.0.1
Arm template0459a1b5-909d-4783-9e27-24536b05a47f.json
Deploy To Azure
// A new Conditional Access policy was created.
AuditLogs
| where OperationName in ("Add conditional access policy")
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    newPolicy = TargetResources[0].modifiedProperties[0].newValue
| order by TimeGenerated desc

suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
    groupByEntities: []
    lookbackDuration: PT1H
    enabled: false
    reopenClosedIncident: false
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
relevantTechniques:
- T1562.007
triggerOperator: gt
version: 1.0.1
queryFrequency: 5m
severity: Informational
description: A new Conditional Access policy was created in Entra ID.
triggerThreshold: 0
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
name: Conditional Access - A new Conditional Access policy was created
query: |
  // A new Conditional Access policy was created.
  AuditLogs
  | where OperationName in ("Add conditional access policy")
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      newPolicy = TargetResources[0].modifiedProperties[0].newValue
  | order by TimeGenerated desc  
tactics:
- DefenseEvasion
queryPeriod: 5m
kind: Scheduled
id: 0459a1b5-909d-4783-9e27-24536b05a47f
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A new Conditional Access policy was created.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult