
Summary
This detection rule is designed to monitor and alert on the creation or modification of conditional access policies within Azure Active Directory (AAD) by non-approved actors. The rule specifically looks for audit log entries that indicate the addition of a new conditional access policy, signaled by the message 'Add conditional access policy'. Given the critical nature of conditional access policies in securing access to resources, unauthorized changes may indicate a potential security threat or misconfiguration. The detection rule operates under a medium severity level and may produce false positives, particularly in scenarios involving misconfigured role permissions or when legitimate users within the organization are incorrectly identified as unauthorized actors. Proper verification of the user identity, user agent, and hostname is crucial in reducing false alerts. The rule complements broader security operational efforts in Azure, providing insights into potentially malicious activities affecting cloud resource governance.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Cloud Service
- Logon Session
- Application Log
Created: 2022-07-18