Conditional Access - Dynamic Group Exclusion Changes

Back


Id	c385944b-17b9-4b2b-921e-0e8d0341a675
Rulename	Conditional Access - Dynamic Group Exclusion Changes
Description	// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1484
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml
Version	1.0.1
Arm template	c385944b-17b9-4b2b-921e-0e8d0341a675.json

KQL

// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
let monitoredGroups = dynamic(["Group1", "Group2"]);  // <-- Customize this list
AuditLogs
| where OperationName == "Update group"
| where AdditionalDetails[0].value == "DynamicMembership"
| extend DynamicGroupName = tostring(TargetResources[0].displayName)
| where DynamicGroupName in (monitoredGroups)
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| extend oldRule = tostring(TargetResources[0].modifiedProperties[0].oldValue)
| extend newRule = tostring(TargetResources[0].modifiedProperties[0].newValue)
| where oldRule != newRule
| project
    TimeGenerated,
    OperationName,
    DynamicGroupName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    oldRule,
    newRule
| order by TimeGenerated desc

YAML

suppressionEnabled: false
relevantTechniques:
- T1484
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    groupByEntities: []
    lookbackDuration: PT5H
    groupByAlertDetails: []
  createIncident: true
version: 1.0.1
suppressionDuration: 5h
id: c385944b-17b9-4b2b-921e-0e8d0341a675
description: // Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
queryFrequency: 5m
query: |-
  // Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
  let monitoredGroups = dynamic(["Group1", "Group2"]);  // <-- Customize this list
  AuditLogs
  | where OperationName == "Update group"
  | where AdditionalDetails[0].value == "DynamicMembership"
  | extend DynamicGroupName = tostring(TargetResources[0].displayName)
  | where DynamicGroupName in (monitoredGroups)
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | extend oldRule = tostring(TargetResources[0].modifiedProperties[0].oldValue)
  | extend newRule = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | where oldRule != newRule
  | project
      TimeGenerated,
      OperationName,
      DynamicGroupName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      oldRule,
      newRule
  | order by TimeGenerated desc  
severity: High
queryPeriod: 5m
name: Conditional Access - Dynamic Group Exclusion Changes
tactics:
- PrivilegeEscalation
kind: Scheduled

ARM