New

The executive guide to generative AI

Read more

Azure Conditional Access Policy Modified

edit

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: Azure
  • Use Case: Configuration Audit
  • Tactic: Persistence

Version: 102

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset:(azure.activitylogs or azure.auditlogs) and
event.action:"Update conditional access policy" and event.outcome:(Success or success)

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback