Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Conditional Access - A Conditional Access policy was updated

Back
Idccca6b88-a7b6-41c9-9be2-fc3daeb65b26
RulenameConditional Access - A Conditional Access policy was updated
DescriptionA Conditional Access policy was updated in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Version1.0.0
Arm templateccca6b88-a7b6-41c9-9be2-fc3daeb65b26.json
Deploy To Azure
// A Conditional Access policy was updated.
AuditLogs
| where OperationName == "Update conditional access policy"
| extend
    policy = tostring(TargetResources[0].displayName),
    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend
    accountName = tostring(split(modifiedBy, "@")[0]),
    upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy,
    modifiedBy,
    accountName,
    upnSuffix,
    oldPolicy,
    newPolicy,
    Result
description: A Conditional Access policy was updated in Entra ID.
queryPeriod: 5m
suppressionDuration: 5h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
id: ccca6b88-a7b6-41c9-9be2-fc3daeb65b26
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
tactics:
- DefenseEvasion
severity: Informational
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    matchingMethod: AllEntities
    enabled: false
    groupByAlertDetails: []
  createIncident: true
version: 1.0.0
query: |+
  // A Conditional Access policy was updated.
  AuditLogs
  | where OperationName == "Update conditional access policy"
  | extend
      policy = tostring(TargetResources[0].displayName),
      modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
      oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
      newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend
      accountName = tostring(split(modifiedBy, "@")[0]),
      upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy,
      modifiedBy,
      accountName,
      upnSuffix,
      oldPolicy,
      newPolicy,
      Result  

eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
suppressionEnabled: false
relevantTechniques:
- T1562
name: Conditional Access - A Conditional Access policy was updated
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ccca6b88-a7b6-41c9-9be2-fc3daeb65b26')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ccca6b88-a7b6-41c9-9be2-fc3daeb65b26')]",
      "properties": {
        "alertRuleTemplateName": "ccca6b88-a7b6-41c9-9be2-fc3daeb65b26",
        "customDetails": null,
        "description": "A Conditional Access policy was updated in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access policy was updated",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml",
        "query": "// A Conditional Access policy was updated.\nAuditLogs\n| where OperationName == \"Update conditional access policy\"\n| extend\n    policy = tostring(TargetResources[0].displayName),\n    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),\n    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),\n    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)\n| extend\n    accountName = tostring(split(modifiedBy, \"@\")[0]),\n    upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    oldPolicy,\n    newPolicy,\n    Result\n\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}