Conditional Access - A Conditional Access Device platforms condition has changed the Device platforms condition can be spoofed

// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludePlatformsOld != excludePlatformsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    excludePlatformsOld,
    excludePlatformsNew
| order by TimeGenerated desc

incidentConfiguration:
  groupingConfiguration:
    enabled: false
    groupByEntities: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
    groupByCustomDetails: []
    reopenClosedIncident: false
    lookbackDuration: PT1H
  createIncident: true
id: e3368079-a2c0-4f1c-9fb7-287e907393ef
query: |
  // A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where excludePlatformsOld != excludePlatformsNew
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      excludePlatformsOld,
      excludePlatformsNew
  | order by TimeGenerated desc  
description: A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
tactics:
- DefenseEvasion
queryFrequency: 5m
queryPeriod: 5m
suppressionEnabled: false
triggerOperator: gt
kind: Scheduled
name: Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1562.007
suppressionDuration: 5h
severity: Low
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: accountName
  - identifier: UPNSuffix
    columnName: upnSuffix
  entityType: Account
triggerThreshold: 0