// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludePlatformsOld != excludePlatformsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
TimeGenerated,
OperationName,
policy = TargetResources[0].displayName,
modifiedBy,
accountName,
upnSuffix,
result = Result,
excludePlatformsOld,
excludePlatformsNew
| order by TimeGenerated desc
description: A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
tactics:
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: PT1H
groupByEntities: []
groupByCustomDetails: []
enabled: false
matchingMethod: AllEntities
createIncident: true
id: e3368079-a2c0-4f1c-9fb7-287e907393ef
severity: Low
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
// A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).
AuditLogs
| where OperationName in ("Update conditional access policy")
| extend excludePlatformsOld = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].oldValue))
| extend excludePlatformsNew = extractjson("$.conditions.platforms.excludePlatforms", tostring(TargetResources[0].modifiedProperties[0].newValue))
| where excludePlatformsOld != excludePlatformsNew
| extend modifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend accountName = tostring(split(modifiedBy, "@")[0])
| extend upnSuffix = tostring(split(modifiedBy, "@")[1])
| project
TimeGenerated,
OperationName,
policy = TargetResources[0].displayName,
modifiedBy,
accountName,
upnSuffix,
result = Result,
excludePlatformsOld,
excludePlatformsNew
| order by TimeGenerated desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed).yaml
kind: Scheduled
queryPeriod: 5m
name: Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1562.007
version: 1.0.1
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: accountName
- identifier: UPNSuffix
columnName: upnSuffix
triggerOperator: gt
