Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.
Rule type: query
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
- Continuous Monitoring
- Configuration Audit
Rule license: Elastic License v2
## Config The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:(azure.activitylogs or azure.auditlogs) and event.action:"Update conditional access policy" and event.outcome:(Success or success)
Framework: MITRE ATT&CKTM