Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Conditional Access - A Conditional Access policy was updated

Back
Idccca6b88-a7b6-41c9-9be2-fc3daeb65b26
RulenameConditional Access - A Conditional Access policy was updated
DescriptionA Conditional Access policy was updated in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Version1.0.0
Arm templateccca6b88-a7b6-41c9-9be2-fc3daeb65b26.json
Deploy To Azure
// A Conditional Access policy was updated.
AuditLogs
| where OperationName == "Update conditional access policy"
| extend
    policy = tostring(TargetResources[0].displayName),
    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend
    accountName = tostring(split(modifiedBy, "@")[0]),
    upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy,
    modifiedBy,
    accountName,
    upnSuffix,
    oldPolicy,
    newPolicy,
    Result
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Conditional Access - A Conditional Access policy was updated
description: A Conditional Access policy was updated in Entra ID.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
kind: Scheduled
id: ccca6b88-a7b6-41c9-9be2-fc3daeb65b26
version: 1.0.0
triggerOperator: gt
triggerThreshold: 0
query: |+
  // A Conditional Access policy was updated.
  AuditLogs
  | where OperationName == "Update conditional access policy"
  | extend
      policy = tostring(TargetResources[0].displayName),
      modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
      oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
      newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend
      accountName = tostring(split(modifiedBy, "@")[0]),
      upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy,
      modifiedBy,
      accountName,
      upnSuffix,
      oldPolicy,
      newPolicy,
      Result  

suppressionDuration: 5h
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: false
    matchingMethod: AllEntities
    groupByCustomDetails: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByEntities: []
  createIncident: true
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
queryFrequency: 5m
severity: Informational
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ccca6b88-a7b6-41c9-9be2-fc3daeb65b26')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ccca6b88-a7b6-41c9-9be2-fc3daeb65b26')]",
      "properties": {
        "alertRuleTemplateName": "ccca6b88-a7b6-41c9-9be2-fc3daeb65b26",
        "customDetails": null,
        "description": "A Conditional Access policy was updated in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access policy was updated",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml",
        "query": "// A Conditional Access policy was updated.\nAuditLogs\n| where OperationName == \"Update conditional access policy\"\n| extend\n    policy = tostring(TargetResources[0].displayName),\n    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),\n    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),\n    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)\n| extend\n    accountName = tostring(split(modifiedBy, \"@\")[0]),\n    upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    oldPolicy,\n    newPolicy,\n    Result\n\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}