Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Conditional Access - A Conditional Access policy was updated

Conditional Access - A Conditional Access policy was updated

Back
Idccca6b88-a7b6-41c9-9be2-fc3daeb65b26
RulenameConditional Access - A Conditional Access policy was updated
DescriptionA Conditional Access policy was updated in Entra ID.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Version1.0.1
Arm templateccca6b88-a7b6-41c9-9be2-fc3daeb65b26.json
Deploy To Azure
// A Conditional Access policy was updated.
AuditLogs
| where OperationName == "Update conditional access policy"
| extend
    policy = tostring(TargetResources[0].displayName),
    modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
    oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
    newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend
    accountName = tostring(split(modifiedBy, "@")[0]),
    upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy,
    modifiedBy,
    accountName,
    upnSuffix,
    oldPolicy,
    newPolicy,
    Result

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
suppressionEnabled: false
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT1H
    groupByCustomDetails: []
    groupByEntities: []
    enabled: false
    groupByAlertDetails: []
  createIncident: true
suppressionDuration: 5h
queryPeriod: 5m
name: Conditional Access - A Conditional Access policy was updated
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
version: 1.0.1
description: A Conditional Access policy was updated in Entra ID.
severity: Informational
id: ccca6b88-a7b6-41c9-9be2-fc3daeb65b26
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
queryFrequency: 5m
triggerThreshold: 0
query: |+
  // A Conditional Access policy was updated.
  AuditLogs
  | where OperationName == "Update conditional access policy"
  | extend
      policy = tostring(TargetResources[0].displayName),
      modifiedBy = tostring(InitiatedBy.user.userPrincipalName),
      oldPolicy = tostring(TargetResources[0].modifiedProperties[0].oldValue),
      newPolicy = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend
      accountName = tostring(split(modifiedBy, "@")[0]),
      upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy,
      modifiedBy,
      accountName,
      upnSuffix,
      oldPolicy,
      newPolicy,
      Result  

relevantTechniques:
- T1562
kind: Scheduled
triggerOperator: gt