Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access policy was updated

Conditional Access - A Conditional Access policy was updated

Back
Idccca6b88-a7b6-41c9-9be2-fc3daeb65b26
RulenameConditional Access - A Conditional Access policy was updated
DescriptionA Conditional Access policy was updated in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Version1.0.1
Arm templateccca6b88-a7b6-41c9-9be2-fc3daeb65b26.json
Deploy To Azure
// A Conditional Access policy was updated.
AuditLogs
| where OperationName == "Update conditional access policy"
| extend
    policy = tostring(TargetResources[0].displayName),
    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend
    accountName = tostring(split(modifiedBy, "@")[0]),
    upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy,
    modifiedBy,
    accountName,
    upnSuffix,
    oldPolicy,
    newPolicy,
    Result

tactics:
- DefenseEvasion
id: ccca6b88-a7b6-41c9-9be2-fc3daeb65b26
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
suppressionEnabled: false
description: A Conditional Access policy was updated in Entra ID.
version: 1.0.1
severity: Informational
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
kind: Scheduled
name: Conditional Access - A Conditional Access policy was updated
query: |+
  // A Conditional Access policy was updated.
  AuditLogs
  | where OperationName == "Update conditional access policy"
  | extend
      policy = tostring(TargetResources[0].displayName),
      modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
      oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
      newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend
      accountName = tostring(split(modifiedBy, "@")[0]),
      upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy,
      modifiedBy,
      accountName,
      upnSuffix,
      oldPolicy,
      newPolicy,
      Result  

suppressionDuration: 5h
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByEntities: []
    lookbackDuration: PT1H
    groupByCustomDetails: []
    enabled: false
    groupByAlertDetails: []
  createIncident: true
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
relevantTechniques:
- T1562