Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access policy was put into report-only mode

Conditional Access - A Conditional Access policy was put into report-only mode

Back
Id5588de32-73b1-40b9-bddc-4d9e74051859
RulenameConditional Access - A Conditional Access policy was put into report-only mode
DescriptionA Conditional Access policy was put into report-only mode in Entra ID.
SeverityLow
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was put into report-only mode.yaml
Version1.0.1
Arm template5588de32-73b1-40b9-bddc-4d9e74051859.json
Deploy To Azure
// A Conditional Access policy was put into report-only mode.
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend stateOld = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend stateNew = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where stateOld == "enabled" and stateNew == "enabledForReportingButNotEnforced"
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    stateOld,
    stateNew
| order by TimeGenerated desc

description: A Conditional Access policy was put into report-only mode in Entra ID.
tactics:
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails: []
    lookbackDuration: PT5M
    groupByEntities: []
    groupByCustomDetails: []
    enabled: false
    matchingMethod: AllEntities
  createIncident: true
id: 5588de32-73b1-40b9-bddc-4d9e74051859
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // A Conditional Access policy was put into report-only mode.
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend stateOld = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend stateNew = extractjson("$.state", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where stateOld == "enabled" and stateNew == "enabledForReportingButNotEnforced"
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      stateOld,
      stateNew
  | order by TimeGenerated desc  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was put into report-only mode.yaml
kind: Scheduled
queryPeriod: 5m
name: Conditional Access - A Conditional Access policy was put into report-only mode
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1562.007
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
triggerOperator: gt