New

The executive guide to generative AI

Read more

Azure Conditional Access Policy Modified

edit

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 8 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset:(azure.activitylogs or azure.auditlogs) and
event.action:"Update conditional access policy" and
event.outcome:(Success or success)

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 8 (8.4.0 release)
  • Formatting only
Version 6 (8.2.0 release)
  • Updated query, changed from:

    event.dataset:(azure.activitylogs or azure.auditlogs) and (
    azure.activitylogs.operation_name:"Update policy" or
    azure.auditlogs.operation_name:"Update policy" ) and
    event.outcome:(Success or success)
Version 5 (7.13.0 release)
  • Formatting only
Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:(azure.activitylogs or azure.auditlogs) and (
    azure.activitylogs.operation_name:"Update policy" or
    azure.auditlogs.operation_name:"Update policy" ) and
    event.outcome:success
Was this helpful?
Feedback