Query Details

Deletion Conditional Access Policy

Conditional Access Delete Policy

Query

AuditLogs
| where OperationName == "Delete conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResources

About this query

Deletion Conditional Access Policy

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1556Modify Authentication Processhttps://attack.mitre.org/techniques/T1556/

Description

This KQL query lists all conditional access policies that have been deleted. The modification of authentication processes can be used to create persistence on an cloud account.

Risk

Adveries can delete CA policies to get persistence.

References

Sentinel

Explanation

This KQL query is designed to identify and list all instances where conditional access policies have been deleted in a cloud environment. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AuditLogs table, which contains logs of various operations performed in the system.

  2. Filter: The query specifically looks for log entries where the operation name is "Delete conditional access policy". This means it is filtering out all other operations and focusing only on deletions of conditional access policies.

  3. Extract Information: For each deletion event, the query extracts:

    • DeletedPolicy: The name of the conditional access policy that was deleted.
    • Actor: The user who initiated the deletion, identified by their user principal name.
  4. Output: It projects (or displays) the following information for each deletion event:

    • TimeGenerated: The timestamp of when the deletion occurred.
    • Actor: The user who deleted the policy.
    • DeletedPolicy: The name of the deleted policy.
    • TargetResources: Additional details about the resources targeted by the operation.

In summary, this query helps security teams monitor and investigate any unauthorized or suspicious deletions of conditional access policies, which could be a tactic used by adversaries to maintain access or persistence in a cloud environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AuditLogs

Keywords

AuditLogsOperationNameTargetResourcesActorTimeGeneratedUserUserPrincipalName

Operators

whereextendproject

MITRE Techniques

Actions

GitHub