Query Details

Update Of Authentication Methods Policy

Query

AuditLogs
| where OperationName == "Authentication Methods Policy Update" and LoggedByService == "Authentication Methods"
| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress

Explanation

This query is designed to identify when the Authentication Methods Policy has been updated. It looks for audit logs in the Azure Active Directory connector where the OperationName is "Authentication Methods Policy Update" and the LoggedByService is "Authentication Methods". It then extracts information about the user or app that initiated the update, including their user principal name or display name and their IP address. The query also maps the extracted information to the Account and IP entities for further analysis. The query runs once a day and looks at data from the past day. The severity of this query is informational, and it is relevant to the CredentialAccess and InitialAccess tactics, as well as the T1110 and T1078 techniques.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AuditLogsOperationNameLoggedByServiceInitiatingUserOrAppInitiatingIpAddressTimeGeneratedAccountCustomEntityIPCustomEntityFullNameAddress

Operators

|==andisnotemptytostringiffextendwhere

Severity

Informational

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub