security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e22f60f44cf1a87d23ba46292e15ff58c8e95545
sigma-rules/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml
T
Terrance DeJesus 280140650a tuning 'Azure Conditional Access Policy Modified' (#4558)
2025-03-27 15:43:46 -04:00

117 lines
5.0 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/09/01"
integration = ["azure"]
maturity = "production"
updated_date = "2025/03/24"
[rule]
author = ["Elastic"]
description = """
Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity.
"""
from = "now-9m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified"
note = """## Triage and analysis
## Investigation Guide: Microsoft Entra ID Conditional Access Policy (CAP) Modified
Azure Conditional Access Policies (CAPs) are critical for enforcing secure access requirements such as multi-factor authentication (MFA), restricting specific users or groups, and managing sign-in conditions. Modifying these policies can be a technique for weakening an organizations defenses and maintaining persistence after initial access.
This rule detects a successful update to a Conditional Access Policy in Microsoft Entra ID (formerly Azure AD).
### Possible Investigation Steps
- **Identify the user who modified the policy:**
- Check the value of `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to determine the identity that made the change.
- Investigate their recent activity to determine if this change was expected or authorized.
- **Review the modified policy name:**
- Look at `azure.auditlogs.properties.target_resources.*.display_name` to find the name of the affected policy.
- Determine whether this policy is related to critical controls (e.g., requiring MFA for admins).
- **Analyze the policy change:**
- Compare the `old_value` and `new_value` fields under `azure.auditlogs.properties.target_resources.*.modified_properties.*`.
- Look for security-reducing changes, such as:
- Removing users/groups from enforcement.
- Disabling MFA or risk-based conditions.
- Introducing exclusions that reduce the policys coverage.
- **Correlate with other activity:**
- Pivot on `azure.auditlogs.properties.activity_datetime` to identify if any suspicious sign-ins occurred after the policy was modified.
- Check for related authentication logs, particularly from the same IP address (`azure.auditlogs.properties.initiated_by.user.ipAddress`).
- **Assess the user's legitimacy:**
- Review the initiators Azure role, group memberships, and whether their account was recently elevated or compromised.
- Investigate whether this user has a history of modifying policies or if this is anomalous.
### Validation & False Positive Considerations
- **Authorized administrative changes:** Some organizations routinely update CAPs as part of policy tuning or role-based access reviews.
- **Security reviews or automation:** Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs.
- **Employee lifecycle events:** Policy changes during employee onboarding/offboarding may include updates to access policies.
If any of these cases apply and align with the activity's context, consider tuning the rule or adding exceptions for expected patterns.
### Response & Remediation
- Revert unauthorized or insecure changes to the Conditional Access Policy immediately.
- Temporarily increase monitoring of CAP modifications and sign-in attempts.
- Lock or reset the credentials of the user account that made the change if compromise is suspected.
- Conduct a broader access review of conditional access policies and privileged user activity.
- Implement stricter change management and alerting around CAP changes.
"""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview",
"https://www.rezonate.io/blog/microsoft-entra-id-the-complete-guide-to-conditional-access-policies/"
]
risk_score = 47
rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Audit Logs",
"Use Case: Identity and Access Audit",
"Use Case: Configuration Audit",
"Tactic: Persistence",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset: "azure.auditlogs"
and event.action:"Update conditional access policy"
and event.outcome: "success"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.009"
name = "Conditional Access Policies"
reference = "https://attack.mitre.org/techniques/T1556/009/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
Reference in New Issue View Git Blame Copy Permalink