Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Conditional Access - A Conditional Access Device platforms condition has changed the Device platforms condition can be spoofed

Back
Ide3368079-a2c0-4f1c-9fb7-287e907393ef
RulenameConditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
DescriptionA Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
SeverityLow
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
Version1.0.0
Arm templatee3368079-a2c0-4f1c-9fb7-287e907393ef.json
Deploy To Azure
// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludePlatformsOld != excludePlatformsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
    TimeGenerated,
    OperationName,
    policy = TargetResources[0].displayName,
    modifiedBy,
    accountName,
    upnSuffix,
    result = Result,
    excludePlatformsOld,
    excludePlatformsNew
| order by TimeGenerated desc
description: A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
queryPeriod: 5m
suppressionDuration: 5h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
id: e3368079-a2c0-4f1c-9fb7-287e907393ef
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
tactics:
- DefenseEvasion
severity: Low
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    matchingMethod: AllEntities
    enabled: false
    groupByAlertDetails: []
  createIncident: true
version: 1.0.0
query: |
  // A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
  AuditLogs
  | where OperationName in ("Update conditional access policy")
  | extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
  | extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
  | where excludePlatformsOld != excludePlatformsNew
  | extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
  | extend accountName = tostring(split(modifiedBy, "@")[0])
  | extend upnSuffix = tostring(split(modifiedBy, "@")[1])
  | project
      TimeGenerated,
      OperationName,
      policy = TargetResources[0].displayName,
      modifiedBy,
      accountName,
      upnSuffix,
      result = Result,
      excludePlatformsOld,
      excludePlatformsNew
  | order by TimeGenerated desc  
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
suppressionEnabled: false
relevantTechniques:
- T1562.007
name: Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
entityMappings:
- fieldMappings:
  - columnName: accountName
    identifier: Name
  - columnName: upnSuffix
    identifier: UPNSuffix
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3368079-a2c0-4f1c-9fb7-287e907393ef')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3368079-a2c0-4f1c-9fb7-287e907393ef')]",
      "properties": {
        "alertRuleTemplateName": "e3368079-a2c0-4f1c-9fb7-287e907393ef",
        "customDetails": null,
        "description": "A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.",
        "displayName": "Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "accountName",
                "identifier": "Name"
              },
              {
                "columnName": "upnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml",
        "query": "// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).\nAuditLogs\n| where OperationName in (\"Update conditional access policy\")\n| extend excludePlatformsOld = extractjson(\"$.conditions.platforms.excludePlatforms\", tostring(TargetResources[0].modifiedProperties[0].oldValue))\n| extend excludePlatformsNew = extractjson(\"$.conditions.platforms.excludePlatforms\", tostring(TargetResources[0].modifiedProperties[0].newValue))\n| where excludePlatformsOld != excludePlatformsNew\n| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)\n| extend accountName = tostring(split(modifiedBy, \"@\")[0])\n| extend upnSuffix = tostring(split(modifiedBy, \"@\")[1])\n| project\n    TimeGenerated,\n    OperationName,\n    policy = TargetResources[0].displayName,\n    modifiedBy,\n    accountName,\n    upnSuffix,\n    result = Result,\n    excludePlatformsOld,\n    excludePlatformsNew\n| order by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "subTechniques": [
          "T1562.007"
        ],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}