Query Details
Conditional Access Delete Policy
Query
# Deletion Conditional Access Policy ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1556 | Modify Authentication Process | https://attack.mitre.org/techniques/T1556/ | #### Description This KQL query lists all conditional access policies that have been deleted. The modification of authentication processes can be used to create persistence on an cloud account. #### Risk Adveries can delete CA policies to get persistence. #### References - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/ ## Sentinel ```KQL AuditLogs | where OperationName == "Delete conditional access policy" | extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName | project TimeGenerated, Actor, DeletedPolicy, TargetResources ```
Explanation
This query is used to identify deleted conditional access policies in an Azure environment. It looks for audit logs where the operation name is "Delete conditional access policy". It then extends the query to include the display name of the deleted policy and the user who initiated the deletion. The query returns the time the deletion occurred, the user who deleted the policy, the name of the deleted policy, and information about the target resources. The purpose of this query is to detect any unauthorized deletion of conditional access policies, which could be used by adversaries to gain persistence in a cloud account.
Details
Bert-Jan Pals
Released: October 19, 2023
Tables
AuditLogs
Keywords
Devices,Intune,User
Operators
whereextendproject