IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Command Execution on Virtual Machine Azure Diagnostic Settings Deletion »

› › ›

Azure Conditional Access Policy Modified

edit

Azure Conditional Access Policy Modified

edit

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Configuration Audit

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Investigation guide

edit

The Azure Filebeat module must be enabled to use this rule.

Rule query

edit

event.dataset:(azure.activitylogs or azure.auditlogs) and (
azure.activitylogs.operation_name:"Update policy" or
azure.auditlogs.operation_name:"Update policy" ) and
event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« Azure Command Execution on Virtual Machine Azure Diagnostic Settings Deletion »