Detect Conditional Access Policies in Elastic Security
Adversaries may disable or modify Conditional Access Policies (CAP) to enable persistent access to compromised accounts. Conditional Access applies additional verification based on IP, device enrollment, MFA, and risk-based signals. Attackers modify CAPs by adding trusted IP ranges (Scattered Spider added attacker-controlled IPs), removing MFA requirements, adding user exclusions, or disabling policies. Storm-0501 circumvented CAPs using hybrid-joined servers. In AWS/GCP, IAM condition attributes can be weakened by removing IP or time-of-day restrictions.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.009 Conditional Access Policies
- Canonical reference
- https://attack.mitre.org/techniques/T1556/009/
Elastic Detection Query
any where event.dataset == "azure.auditlogs"
and (
azure.auditlogs.properties.logged_by_service == "Conditional Access"
or azure.auditlogs.properties.category == "Policy"
)
and azure.auditlogs.properties.operation_name in (
"Add conditional access policy",
"Update conditional access policy",
"Delete conditional access policy",
"Add named location",
"Update named location",
"Delete named location"
)
and azure.auditlogs.properties.result == "success"Detects successful Azure AD Conditional Access Policy and Named Location creation, modification, or deletion via the Elastic Azure integration audit log dataset. Covers attacker TTPs including disabling MFA requirements, adding attacker-controlled trusted IP ranges, removing user exclusions, and full policy deletion (T1556.009). Scoped to the azure.auditlogs dataset with result == success to suppress noise from failed or unauthorized attempts.
Data Sources
Required Tables
False Positives & Tuning
- IT or IAM administrators implementing or updating Conditional Access Policies during approved change windows — correlate with change ticket systems
- Security posture reviews consolidating or migrating legacy CAP configurations to a new framework
- Automated policy-as-code pipelines (Terraform Azure AD provider, PowerShell, Microsoft Graph API scripts) executing pre-approved policy deployments
Other platforms for T1556.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable a Non-Critical Conditional Access Policy
Expected signal: Azure AD Audit Log: OperationName 'Update conditional access policy', ModifiedProperties showing State changed from 'enabled' to 'disabled'. Actor logged as the authenticated Microsoft Graph session user.
- Test 2Add a Trusted Named Location (Simulating Scattered Spider TTP)
Expected signal: Azure AD Audit Log: OperationName 'Add named location', TargetResources showing the new location name and IP range. IsTrusted=true visible in audit details.
- Test 3Enumerate Existing Conditional Access Policies
Expected signal: Azure AD Audit Log: Read operation on conditional access policies. Microsoft Graph API call logged. PowerShell ScriptBlock Log Event ID 4104 with the Get-MgIdentityConditionalAccessPolicy command.
References (5)
- https://attack.mitre.org/techniques/T1556/009/
- https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
- https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.009/T1556.009.md
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
Unlock Pro Content
Get the full detection package for T1556.009 including response playbook, investigation guide, and atomic red team tests.