Query Details
Audit Detect First Time CA Policy Change
Query
//Detects users who add, delete or update a Azure AD Conditional Access policy for the first time.
//First find users who have previously made CA policy changes, this example looks back 90 days
//Data connector required for this query - Azure Active Directory - Audit Logs
let knownusers=
AuditLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(1d)
| where OperationName in ("Update conditional access policy", "Add conditional access policy", "Delete conditional access policy")
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| distinct Actor;
//Find new events from users not in the known user list
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in ("Update conditional access policy", "Add conditional access policy", "Delete conditional access policy")
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Policy Name'] = tostring(TargetResources[0].displayName)
| extend ['Policy Id'] = tostring(TargetResources[0].id)
| where Actor !in (knownusers)
| project TimeGenerated, Actor, ['Policy Name'], ['Policy Id']Explanation
This query is used to detect users who have made changes to Azure AD Conditional Access policies for the first time. It first identifies users who have previously made changes to these policies within the last 90 days. Then, it looks for new events from users who are not in the known user list. The query retrieves information such as the time the change was made, the user who made the change, the name of the policy, and the policy ID.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Users,AzureADConditionalAccesspolicy,Dataconnector,AuditLogs,TimeGenerated,OperationName,InitiatedBy.user,Actor,TargetResources,PolicyName,PolicyId
Operators
whereagoinextendtostringparse_jsondistinctproject