Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access policy was updated

Conditional Access - A Conditional Access policy was updated

Back
Idccca6b88-a7b6-41c9-9be2-fc3daeb65b26
RulenameConditional Access - A Conditional Access policy was updated
DescriptionA Conditional Access policy was updated in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Version1.0.1
Arm templateccca6b88-a7b6-41c9-9be2-fc3daeb65b26.json
Deploy To Azure
// A Conditional Access policy was updated.
AuditLogs
| where OperationName == "Update conditional access policy"
| extend
    policy = tostring(TargetResources[0].displayName),
    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend
    accountName = tostring(split(modifiedBy, "@")[0]),
    upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy,
    modifiedBy,
    accountName,
    upnSuffix,
    oldPolicy,
    newPolicy,
    Result

queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: ccca6b88-a7b6-41c9-9be2-fc3daeb65b26
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    enabled: false
    lookbackDuration: PT1H
    groupByEntities: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
    reopenClosedIncident: false
  createIncident: true
query: |+
  // A Conditional Access policy was updated.
  AuditLogs
  | where OperationName == "Update conditional access policy"
  | extend
      policy = tostring(TargetResources[0].displayName),
      modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
      oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
      newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend
      accountName = tostring(split(modifiedBy, "@")[0]),
      upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy,
      modifiedBy,
      accountName,
      upnSuffix,
      oldPolicy,
      newPolicy,
      Result  

entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
queryPeriod: 5m
suppressionEnabled: false
name: Conditional Access - A Conditional Access policy was updated
triggerThreshold: 0
relevantTechniques:
- T1562
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
version: 1.0.1
severity: Informational
description: A Conditional Access policy was updated in Entra ID.
tactics:
- DefenseEvasion
suppressionDuration: 5h