Conditional Access - A Conditional Access Device platforms condition has changed the Device platforms condition can be spoofed

Back


Id	e3368079-a2c0-4f1c-9fb7-287e907393ef
Rulename	Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
Description	A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1562.007
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
Version	1.0.1
Arm template	e3368079-a2c0-4f1c-9fb7-287e907393ef.json

KQL

// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludePlatformsOld != excludePlatformsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    excludePlatformsOld,
    excludePlatformsNew
| order by TimeGenerated desc

YAML

requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
severity: Low
kind: Scheduled
name: Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
version: 1.0.1
query: |
  // A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where excludePlatformsOld != excludePlatformsNew
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      excludePlatformsOld,
      excludePlatformsNew
  | order by TimeGenerated desc  
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT1H
    groupByCustomDetails: []
    groupByAlertDetails: []
    matchingMethod: AllEntities
    groupByEntities: []
id: e3368079-a2c0-4f1c-9fb7-287e907393ef
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
description: A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
triggerThreshold: 0
relevantTechniques:
- T1562.007
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
queryFrequency: 5m
triggerOperator: gt
tactics:
- DefenseEvasion
suppressionDuration: 5h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3368079-a2c0-4f1c-9fb7-287e907393ef')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3368079-a2c0-4f1c-9fb7-287e907393ef')]",
      "properties": {
        "alertRuleTemplateName": "e3368079-a2c0-4f1c-9fb7-287e907393ef",
        "customDetails": null,
        "description": "A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml",
        "query": "// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).\nAuditLogs\n| where OperationName in (\"Update conditional access policy\")\n| extend excludePlatformsOld = extractjson(\"$.conditions.platforms.excludePlatforms\", tostring(TargetResources[0].modifiedProperties[0].oldValue))\n| extend excludePlatformsNew = extractjson(\"$.conditions.platforms.excludePlatforms\", tostring(TargetResources[0].modifiedProperties[0].newValue))\n| where excludePlatformsOld != excludePlatformsNew\n| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)\n| extend accountName = tostring(split(modifiedBy, \"@\")[0])\n| extend upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy = TargetResources[0].displayName,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    result = Result,\n    excludePlatformsOld,\n    excludePlatformsNew\n| order by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "subTechniques": [
          "T1562.007"
        ],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}