Query Details
Conditional Access Change Policy
Query
# Change Conditional Access Policy ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1556 | Modify Authentication Process | https://attack.mitre.org/techniques/T1556/ | #### Description This KQL query lists all conditional access policies that have been changed. The modification of authentication processes can be used to create persistence on an cloud account. #### Risk Adveries can update CA policies to get persistence by removing the necessary strong authentication mechanisms for a account. #### References - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/ ## Sentinel ```KQL AuditLogs | where OperationName == "Update conditional access policy" | extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName | project TimeGenerated, Actor, DeletedPolicy, TargetResources ```
Explanation
This query is used to identify any changes made to conditional access policies. It looks for audit logs where the operation name is "Update conditional access policy". The query then extends the results to include the display name of the deleted policy and the user who initiated the change. The final result includes the time the change was made, the user who made the change, the deleted policy, and the target resources. The purpose of this query is to detect any modifications to authentication processes that could be used for persistence in a cloud account.
Details
Bert-Jan Pals
Released: October 23, 2023
Tables
AuditLogs
Keywords
Devices,Intune,User
Operators
whereextendproject