Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Conditional Access - A Conditional Access policy was disabled

Back
Id40702da1-ae8a-4e46-ac1f-9327ca6ef588
RulenameConditional Access - A Conditional Access policy was disabled
DescriptionA Conditional Access policy was disabled in Entra ID.
SeverityLow
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was disabled.yaml
Version1.0.0
Arm template40702da1-ae8a-4e46-ac1f-9327ca6ef588.json
Deploy To Azure
// A Conditional Access policy was disabled.
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend stateOld = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend stateNew = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where stateOld == "enabled" and stateNew == "disabled"
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    stateOld,
    stateNew
| order by TimeGenerated desc
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Conditional Access - A Conditional Access policy was disabled
description: A Conditional Access policy was disabled in Entra ID.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was disabled.yaml
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
kind: Scheduled
id: 40702da1-ae8a-4e46-ac1f-9327ca6ef588
version: 1.0.0
triggerOperator: gt
triggerThreshold: 0
query: |
  // A Conditional Access policy was disabled.
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend stateOld = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend stateNew = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where stateOld == "enabled" and stateNew == "disabled"
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      stateOld,
      stateNew
  | order by TimeGenerated desc  
suppressionDuration: 5h
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: false
    matchingMethod: AllEntities
    groupByCustomDetails: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByEntities: []
  createIncident: true
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
tactics:
- DefenseEvasion
relevantTechniques:
- T1562.007
queryFrequency: 5m
severity: Low
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/40702da1-ae8a-4e46-ac1f-9327ca6ef588')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/40702da1-ae8a-4e46-ac1f-9327ca6ef588')]",
      "properties": {
        "alertRuleTemplateName": "40702da1-ae8a-4e46-ac1f-9327ca6ef588",
        "customDetails": null,
        "description": "A Conditional Access policy was disabled in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access policy was disabled",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was disabled.yaml",
        "query": "// A Conditional Access policy was disabled.\nAuditLogs\n| where OperationName in (\"Update conditional access policy\")\n| extend stateOld = extractjson(\"$.state\", tostring(TargetResources[0].modifiedProperties[0].oldValue))\n| extend stateNew = extractjson(\"$.state\", tostring(TargetResources[0].modifiedProperties[0].newValue))\n| where stateOld == \"enabled\" and stateNew == \"disabled\"\n| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)\n| extend accountName = tostring(split(modifiedBy, \"@\")[0])\n| extend upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy = TargetResources[0].displayName,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    result = Result,\n    stateOld,\n    stateNew\n| order by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "subTechniques": [
          "T1562.007"
        ],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}