Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access policy was deleted

Conditional Access - A Conditional Access policy was deleted

Back
Id2e96fa64-ac4d-4c92-b79e-e9c54b5d8230
RulenameConditional Access - A Conditional Access policy was deleted
DescriptionA Conditional Access policy was deleted from Entra ID.
SeverityLow
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was deleted.yaml
Version1.0.1
Arm template2e96fa64-ac4d-4c92-b79e-e9c54b5d8230.json
Deploy To Azure
// A Conditional Access policy was deleted.
AuditLogs
| where OperationName in ("Delete conditional access policy")
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    oldPolicy = TargetResources[0].modifiedProperties[0].oldValue
| order by TimeGenerated desc

suppressionEnabled: false
relevantTechniques:
- T1562.007
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    groupByEntities: []
    lookbackDuration: PT1H
    groupByAlertDetails: []
  createIncident: true
version: 1.0.1
suppressionDuration: 5h
id: 2e96fa64-ac4d-4c92-b79e-e9c54b5d8230
description: A Conditional Access policy was deleted from Entra ID.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was deleted.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
queryFrequency: 5m
query: |
  // A Conditional Access policy was deleted.
  AuditLogs
  | where OperationName in ("Delete conditional access policy")
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      oldPolicy = TargetResources[0].modifiedProperties[0].oldValue
  | order by TimeGenerated desc  
severity: Low
queryPeriod: 5m
name: Conditional Access - A Conditional Access policy was deleted
tactics:
- DefenseEvasion
kind: Scheduled