Conditional Access Policies

AuditLogs
| where TimeGenerated > ago(24h)
| where LoggedByService =~ "Conditional Access" or Category =~ "Policy"
| where OperationName in~ (
    "Add conditional access policy",
    "Update conditional access policy",
    "Delete conditional access policy",
    "Add named location",
    "Update named location",
    "Delete named location"
  )
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend PolicyName = tostring(TargetResources[0].displayName)
| extend ModifiedProperties = TargetResources[0].modifiedProperties
| mv-expand PropChange = ModifiedProperties
| extend PropertyName = tostring(PropChange.displayName)
| extend OldValue = tostring(PropChange.oldValue)
| extend NewValue = tostring(PropChange.newValue)
| where PropertyName in~ ("State", "conditions", "grantControls", "IpRanges", "IsTrusted")
    or isempty(PropertyName)
| project TimeGenerated, OperationName, PolicyName, Actor, PropertyName, OldValue, NewValue, Result
| sort by TimeGenerated desc

index=azure_audit sourcetype="azure:aad:audit"
  (LoggedByService="Conditional Access" OR Category="Policy")
  (OperationName="Add conditional access policy" OR OperationName="Update conditional access policy"
   OR OperationName="Delete conditional access policy" OR OperationName="Add named location"
   OR OperationName="Update named location")
| spath input=ModifiedProperties output=proplist path="{}"
| mvexpand proplist
| spath input=proplist output=propname path="displayName"
| spath input=proplist output=oldval path="oldValue"
| spath input=proplist output=newval path="newValue"
| eval Risk=case(
    OperationName="Delete conditional access policy", "CRITICAL",
    match(OperationName, "(?i)Update.*policy") AND match(lower(newval), "disabled"), "CRITICAL",
    match(OperationName, "(?i)(Add|Update).*location") AND match(lower(newval), "trusted.*true"), "HIGH",
    match(propname, "(?i)grantControls"), "HIGH",
    1==1, "MEDIUM"
  )
| table _time, Actor, OperationName, PolicyName, propname, oldval, newval, Risk
| sort - Risk, - _time

any where event.dataset == "azure.auditlogs"
  and (
    azure.auditlogs.properties.logged_by_service == "Conditional Access"
    or azure.auditlogs.properties.category == "Policy"
  )
  and azure.auditlogs.properties.operation_name in (
    "Add conditional access policy",
    "Update conditional access policy",
    "Delete conditional access policy",
    "Add named location",
    "Update named location",
    "Delete named location"
  )
  and azure.auditlogs.properties.result == "success"

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  username AS "Actor",
  QIDNAME(qid) AS "Operation Name",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  CASE
    WHEN QIDNAME(qid) ILIKE '%Delete conditional access policy%' THEN 'CRITICAL'
    WHEN QIDNAME(qid) ILIKE '%Update conditional access policy%'
      AND LOWER("Message") LIKE '%disabled%' THEN 'CRITICAL'
    WHEN QIDNAME(qid) ILIKE '%Add named location%'
      AND LOWER("Message") LIKE '%trusted%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Update named location%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Update conditional access policy%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Add conditional access policy%' THEN 'MEDIUM'
    ELSE 'MEDIUM'
  END AS "Risk"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Azure Active Directory%'
  AND (
    QIDNAME(qid) ILIKE '%conditional access%'
    OR QIDNAME(qid) ILIKE '%named location%'
  )
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY "Risk" DESC, devicetime DESC
LIMIT 500

_sourceCategory=azure/active_directory/audit
| json "operationName" as OperationName nodrop
| json "properties.loggedByService" as LoggedByService nodrop
| json "properties.category" as Category nodrop
| json "properties.initiatedBy.user.userPrincipalName" as Actor nodrop
| json "properties.targetResources[0].displayName" as PolicyName nodrop
| json "properties.result" as Result nodrop
| where (LoggedByService = "Conditional Access" OR Category = "Policy")
| where OperationName in ("Add conditional access policy",
    "Update conditional access policy",
    "Delete conditional access policy",
    "Add named location",
    "Update named location",
    "Delete named location")
| where Result = "success"
| json field=_raw "properties.targetResources[0].modifiedProperties[0].displayName" as PropertyName nodrop
| json field=_raw "properties.targetResources[0].modifiedProperties[0].oldValue" as OldValue nodrop
| json field=_raw "properties.targetResources[0].modifiedProperties[0].newValue" as NewValue nodrop
| if (OperationName = "Delete conditional access policy", "CRITICAL",
    if (OperationName = "Update conditional access policy" and NewValue contains "disabled", "CRITICAL",
    if (OperationName matches "*named location*" and NewValue contains "trusted", "HIGH",
    if (PropertyName contains "grantControls", "HIGH", "MEDIUM")))) as Risk
| fields _messageTime, Actor, OperationName, PolicyName, PropertyName, OldValue, NewValue, Risk
| sort by Risk, _messageTime desc

rule t1556_009_conditional_access_policy_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects Azure AD Conditional Access Policy and Named Location lifecycle events indicative of T1556.009 — persistence via CAP weakening"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1556.009"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.log_type = "AZURE_AD_AUDIT"
    $e.metadata.product_event_type in (
      "Add conditional access policy",
      "Update conditional access policy",
      "Delete conditional access policy",
      "Add named location",
      "Update named location",
      "Delete named location"
    )
    $actor = $e.principal.user.userid
    $policy = $e.target.resource.name
    $op = $e.metadata.product_event_type

  condition:
    $e
}

#repo = azure_audit
| (loggedByService = "Conditional Access" OR category = "Policy")
| operationName in ["Add conditional access policy", "Update conditional access policy",
    "Delete conditional access policy", "Add named location",
    "Update named location", "Delete named location"]
| result = "success"
| case {
    operationName = "Delete conditional access policy" |
        Risk := "CRITICAL" ;
    operationName = "Update conditional access policy" AND newValue = /(?i)disabled/ |
        Risk := "CRITICAL" ;
    operationName in ["Add named location", "Update named location"] AND
        newValue = /(?i)trusted/ | Risk := "HIGH" ;
    propertyName = /(?i)grantControls/ | Risk := "HIGH" ;
    * | Risk := "MEDIUM"
  }
| select([_time, initiatedByUserUPN, operationName, targetResourceDisplayName,
    propertyName, oldValue, newValue, Risk])
| sort(Risk, order=desc)