Query Details

Detect suspicious conditional access policy modifications

Detect Suspicious Ca Changes

Query

N/A

About this query

Explanation

This query is designed to detect suspicious changes to conditional access (CA) policies in Entra ID, which could indicate a security risk. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify when CA policies are weakened, such as when users or groups are removed from inclusion lists, added to exclusion lists, or when the policies themselves are disabled or deleted.

  2. Data Sources: It analyzes audit logs from the past 24 hours to track changes in CA policies, named locations, and group memberships related to CA policies.

  3. Key Checks:

    • Policy Changes: It checks for updates or deletions of CA policies and compares the old and new configurations to identify if any security controls have been relaxed.
    • Named Locations: It flags any additions or updates to trusted named locations, which could be used to bypass security measures.
    • Group Memberships: It monitors changes in group memberships that are used in CA policies, specifically looking for members being removed from inclusion groups or added to exclusion groups.
  4. Justification Check: The query also checks if these changes were justified through Privileged Identity Management (PIM) activations. It flags changes that were not justified by a PIM activation.

  5. Output: The query outputs a list of suspicious changes, including the time of the change, the operation performed, the user who initiated the change, and the reasons why the change is considered suspicious.

Overall, this query helps security teams monitor and respond to potentially unauthorized or risky modifications to CA policies, which are critical for maintaining secure access controls.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameAdditionalDetailsUserPrincipalNameTargetResourcesModifiedPropertiesConditionsGrantControlsSessionControlsStateUserRoleGroupApplicationLocationPlatformClientAppTypesUserRiskLevelsSignInRiskLevelsServicePrincipalRiskLevelsDevicesNamedLocationsMemberDisplayNameInitiatedByLoggedByServiceResultAADOperationTypeReasonsPimStartTimePimExpirationTimePimJustificationJustifiedPIM

Operators

letcontainsparsewithhas_anyextendtostringprojectinmv-expandparse_jsonarray_lengthdynamiciffarray_concatsort byproject-awayjoin kind=leftouterbetween

MITRE Techniques

Actions

GitHub