
Summary
This rule is designed to detect the addition of a new root Certificate Authority (CA) in an Azure Active Directory (AzureAD) tenant. Such an action typically supports certificate-based authentication mechanisms and can indicate potential security events such as unauthorized privilege escalation or persistence strategies by malicious actors. The detection leverages Azure audit logs to track changes in company information where the operation name is 'Set Company Information'. Specifically, it monitors for modifications to the 'TrustedCAsForPasswordlessAuth' property within 'TargetResources'. This rule plays a crucial role in identifying any unexpected changes that could impact the security posture of an organization, particularly in scenarios involving passwordless authentication.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Cloud Service
- Application Log
Created: 2024-03-26