Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access app exclusion has changed

Conditional Access - A Conditional Access app exclusion has changed

Back
Id0990a481-3bc8-4682-838c-313918dd858c
RulenameConditional Access - A Conditional Access app exclusion has changed
DescriptionA Conditional Access app exclusion has changed in Entra ID.
SeverityLow
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access app exclusion has changed.yaml
Version1.0.1
Arm template0990a481-3bc8-4682-838c-313918dd858c.json
Deploy To Azure
// A Conditional Access app exclusion has changed.
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludeApplicationsOld = extractjson("$.conditions.applications.excludeApplications", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludeApplicationsNew = extractjson("$.conditions.applications.excludeApplications", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludeApplicationsOld != excludeApplicationsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    excludeApplicationsOld,
    excludeApplicationsNew
| order by TimeGenerated desc

requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
severity: Low
kind: Scheduled
name: Conditional Access - A Conditional Access app exclusion has changed
version: 1.0.1
query: |+
  // A Conditional Access app exclusion has changed.
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend excludeApplicationsOld = extractjson("$.conditions.applications.excludeApplications", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludeApplicationsNew = extractjson("$.conditions.applications.excludeApplications", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where excludeApplicationsOld != excludeApplicationsNew
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      excludeApplicationsOld,
      excludeApplicationsNew
  | order by TimeGenerated desc  

queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT1H
    groupByCustomDetails: []
    groupByAlertDetails: []
    matchingMethod: AllEntities
    groupByEntities: []
id: 0990a481-3bc8-4682-838c-313918dd858c
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access app exclusion has changed.yaml
description: A Conditional Access app exclusion has changed in Entra ID.
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
triggerThreshold: 0
relevantTechniques:
- T1071
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
queryFrequency: 5m
triggerOperator: gt
tactics:
- CommandAndControl
suppressionDuration: 5h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0990a481-3bc8-4682-838c-313918dd858c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0990a481-3bc8-4682-838c-313918dd858c')]",
      "properties": {
        "alertRuleTemplateName": "0990a481-3bc8-4682-838c-313918dd858c",
        "customDetails": null,
        "description": "A Conditional Access app exclusion has changed in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access app exclusion has changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access app exclusion has changed.yaml",
        "query": "// A Conditional Access app exclusion has changed.\nAuditLogs\n| where OperationName in (\"Update conditional access policy\")\n| extend excludeApplicationsOld = extractjson(\"$.conditions.applications.excludeApplications\", tostring(TargetResources[0].modifiedProperties[0].oldValue))\n| extend excludeApplicationsNew = extractjson(\"$.conditions.applications.excludeApplications\", tostring(TargetResources[0].modifiedProperties[0].newValue))\n| where excludeApplicationsOld != excludeApplicationsNew\n| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)\n| extend accountName = tostring(split(modifiedBy, \"@\")[0])\n| extend upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy = TargetResources[0].displayName,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    result = Result,\n    excludeApplicationsOld,\n    excludeApplicationsNew\n| order by TimeGenerated desc\n\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}