Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access usergrouprole exclusion has changed

Conditional Access - A Conditional Access usergrouprole exclusion has changed

Back
Id2ce7f00d-3b3c-41b9-ae9a-b79c19d2394e
RulenameConditional Access - A Conditional Access user/group/role exclusion has changed
DescriptionA Conditional Access user/group/role exclusion has changed in Azure AD.
SeverityHigh
TacticsPersistence
DefenseEvasion
CredentialAccess
TechniquesT1098
T1078
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access usergrouprole exclusion has changed.yaml
Version1.0.1
Arm template2ce7f00d-3b3c-41b9-ae9a-b79c19d2394e.json
Deploy To Azure
// A Conditional Access user/group/role exclusion has changed.
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludeUsersOld = extractjson("$.conditions.users.excludeUsers", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludeGroupsOld = extractjson("$.conditions.users.excludeGroups", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludeRolesOld = extractjson("$.conditions.users.excludeRoles", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludeUsersNew = extractjson("$.conditions.users.excludeUsers", tostring(TargetResources[0].modifiedProperties[0].newValue))
| extend excludeGroupsNew = extractjson("$.conditions.users.excludeGroups", tostring(TargetResources[0].modifiedProperties[0].newValue))
| extend excludeRolesNew = extractjson("$.conditions.users.excludeRoles", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludeUsersOld != excludeUsersNew or excludeGroupsOld != excludeGroupsNew or excludeRolesOld != excludeRolesNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project TimeGenerated, OperationName, policy = TargetResources[0].displayName, modifiedBy, accountName, upnSuffix, result = Result,
          excludeUsersOld, excludeUsersNew, excludeGroupsOld, excludeGroupsNew, excludeRolesOld, excludeRolesNew
| order by TimeGenerated desc

suppressionEnabled: false
description: A Conditional Access user/group/role exclusion has changed in Azure AD.
kind: Scheduled
tactics:
- Persistence
- DefenseEvasion
- CredentialAccess
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    groupByEntities: []
    reopenClosedIncident: false
    lookbackDuration: PT1H
    matchingMethod: AllEntities
    groupByCustomDetails: []
    groupByAlertDetails: []
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access usergrouprole exclusion has changed.yaml
severity: High
name: Conditional Access - A Conditional Access user/group/role exclusion has changed
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
queryPeriod: 5m
query: |
  // A Conditional Access user/group/role exclusion has changed.
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend excludeUsersOld = extractjson("$.conditions.users.excludeUsers", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludeGroupsOld = extractjson("$.conditions.users.excludeGroups", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludeRolesOld = extractjson("$.conditions.users.excludeRoles", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludeUsersNew = extractjson("$.conditions.users.excludeUsers", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | extend excludeGroupsNew = extractjson("$.conditions.users.excludeGroups", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | extend excludeRolesNew = extractjson("$.conditions.users.excludeRoles", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where excludeUsersOld != excludeUsersNew or excludeGroupsOld != excludeGroupsNew or excludeRolesOld != excludeRolesNew
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project TimeGenerated, OperationName, policy = TargetResources[0].displayName, modifiedBy, accountName, upnSuffix, result = Result,
            excludeUsersOld, excludeUsersNew, excludeGroupsOld, excludeGroupsNew, excludeRolesOld, excludeRolesNew
  | order by TimeGenerated desc  
relevantTechniques:
- T1098
- T1078
id: 2ce7f00d-3b3c-41b9-ae9a-b79c19d2394e
queryFrequency: 5m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
triggerOperator: gt
version: 1.0.1