Query Details
Audit Detect Conditional Access Changes After Hours
Query
//Detect changes to Azure AD Conditional Access policies on weekends or outside of business hours
//Data connector required for this query - Azure Active Directory - Audit Logs
let Saturday = time(6.00:00:00);
let Sunday = time(0.00:00:00);
AuditLogs
| where OperationName has "conditional access"
// extend LocalTime to your time zone
| extend LocalTime=TimeGenerated + 5h
// Change hours of the day to suit your company, i.e this would find activations between 6pm and 6am
| where dayofweek(LocalTime) in (Saturday, Sunday) or hourofday(LocalTime) !between (6 .. 18)
| extend ['Conditional Access Policy Name'] = tostring(TargetResources[0].displayName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project LocalTime,
OperationName,
['Conditional Access Policy Name'],
Actor
| sort by LocalTime desc Explanation
This query detects changes to Azure AD Conditional Access policies that occur on weekends or outside of business hours. It uses the Azure Active Directory - Audit Logs data connector. The query filters for operations with "conditional access" in the OperationName field. It also adjusts the time to the local time zone and filters for activations that occur on Saturdays, Sundays, or outside the hours of 6am to 6pm. The query then extracts the policy name and actor information and sorts the results by the local time in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureADConditionalAccess,AuditLogs,Saturday,Sunday,OperationName,LocalTime,TargetResources,displayName,InitiatedBy.user,userPrincipalName,Actor
Operators
whereextendorin!betweentostringparse_jsonprojectsort by