Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - Dynamic Group Exclusion Changes

Conditional Access - Dynamic Group Exclusion Changes

Back
Idc385944b-17b9-4b2b-921e-0e8d0341a675
RulenameConditional Access - Dynamic Group Exclusion Changes
Description// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1484
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml
Version1.0.1
Arm templatec385944b-17b9-4b2b-921e-0e8d0341a675.json
Deploy To Azure
// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
let monitoredGroups = dynamic(["Group1", "Group2"]);  // <-- Customize this list
AuditLogs
| where OperationName == "Update group"
| where AdditionalDetails[0].value == "DynamicMembership"
| extend DynamicGroupName = tostring(TargetResources[0].displayName)
| where DynamicGroupName in (monitoredGroups)
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| extend oldRule = tostring(TargetResources[0].modifiedProperties[0].oldValue)
| extend newRule = tostring(TargetResources[0].modifiedProperties[0].newValue)
| where oldRule != newRule
| project
    TimeGenerated,
    OperationName,
    DynamicGroupName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    oldRule,
    newRule
| order by TimeGenerated desc

triggerOperator: gt
description: // Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
suppressionEnabled: false
triggerThreshold: 0
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1484
query: |-
  // Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
  let monitoredGroups = dynamic(["Group1", "Group2"]);  // <-- Customize this list
  AuditLogs
  | where OperationName == "Update group"
  | where AdditionalDetails[0].value == "DynamicMembership"
  | extend DynamicGroupName = tostring(TargetResources[0].displayName)
  | where DynamicGroupName in (monitoredGroups)
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | extend oldRule = tostring(TargetResources[0].modifiedProperties[0].oldValue)
  | extend newRule = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | where oldRule != newRule
  | project
      TimeGenerated,
      OperationName,
      DynamicGroupName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      oldRule,
      newRule
  | order by TimeGenerated desc  
id: c385944b-17b9-4b2b-921e-0e8d0341a675
severity: High
name: Conditional Access - Dynamic Group Exclusion Changes
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
queryFrequency: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    groupByEntities: []
    groupByCustomDetails: []
    lookbackDuration: PT5H
    groupByAlertDetails: []
    matchingMethod: AllEntities
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c385944b-17b9-4b2b-921e-0e8d0341a675')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c385944b-17b9-4b2b-921e-0e8d0341a675')]",
      "properties": {
        "alertRuleTemplateName": "c385944b-17b9-4b2b-921e-0e8d0341a675",
        "customDetails": null,
        "description": "// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)",
        "displayName": "Conditional Access - Dynamic Group Exclusion Changes",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml",
        "query": "// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)\nlet monitoredGroups = dynamic([\"Group1\", \"Group2\"]);  // <-- Customize this list\nAuditLogs\n| where OperationName == \"Update group\"\n| where AdditionalDetails[0].value == \"DynamicMembership\"\n| extend DynamicGroupName = tostring(TargetResources[0].displayName)\n| where DynamicGroupName in (monitoredGroups)\n| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)\n| extend accountName = tostring(split(modifiedBy, \"@\")[0])\n| extend upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| extend oldRule = tostring(TargetResources[0].modifiedProperties[0].oldValue)\n| extend newRule = tostring(TargetResources[0].modifiedProperties[0].newValue)\n| where oldRule != newRule\n| project\n    TimeGenerated,\n    OperationName,\n    DynamicGroupName,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    result = Result,\n    oldRule,\n    newRule\n| order by TimeGenerated desc",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1484"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}