T1556.009 IBM QRadar · QRadar

Detect Conditional Access Policies in IBM QRadar

Adversaries may disable or modify Conditional Access Policies (CAP) to enable persistent access to compromised accounts. Conditional Access applies additional verification based on IP, device enrollment, MFA, and risk-based signals. Attackers modify CAPs by adding trusted IP ranges (Scattered Spider added attacker-controlled IPs), removing MFA requirements, adding user exclusions, or disabling policies. Storm-0501 circumvented CAPs using hybrid-joined servers. In AWS/GCP, IAM condition attributes can be weakened by removing IP or time-of-day restrictions.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.009 Conditional Access Policies
Canonical reference
https://attack.mitre.org/techniques/T1556/009/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  username AS "Actor",
  QIDNAME(qid) AS "Operation Name",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  CASE
    WHEN QIDNAME(qid) ILIKE '%Delete conditional access policy%' THEN 'CRITICAL'
    WHEN QIDNAME(qid) ILIKE '%Update conditional access policy%'
      AND LOWER("Message") LIKE '%disabled%' THEN 'CRITICAL'
    WHEN QIDNAME(qid) ILIKE '%Add named location%'
      AND LOWER("Message") LIKE '%trusted%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Update named location%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Update conditional access policy%' THEN 'HIGH'
    WHEN QIDNAME(qid) ILIKE '%Add conditional access policy%' THEN 'MEDIUM'
    ELSE 'MEDIUM'
  END AS "Risk"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Azure Active Directory%'
  AND (
    QIDNAME(qid) ILIKE '%conditional access%'
    OR QIDNAME(qid) ILIKE '%named location%'
  )
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY "Risk" DESC, devicetime DESC
LIMIT 500
high severity high confidence

Detects Azure AD Conditional Access Policy and Named Location lifecycle events ingested via the Microsoft Azure Active Directory DSM in QRadar. Risk is tiered: deletion and disabling updates are CRITICAL, trusted location additions and grant control changes are HIGH, and new policy creation is MEDIUM. Queries the events table with a 24-hour lookback using millisecond epoch arithmetic.

Data Sources

Microsoft Azure Active Directory DSM (QRadar log source type)

Required Tables

events

False Positives & Tuning

  • Planned IAM hardening projects where security teams add or remove named IP locations for offices or VPN endpoints
  • Staged rollouts of new MFA policies that temporarily disable existing policies before enabling replacements
  • Privileged Identity Management (PIM) activations triggering automated CAP exclusion additions for break-glass scenarios
Download portable Sigma rule (.yml)

Other platforms for T1556.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable a Non-Critical Conditional Access Policy

    Expected signal: Azure AD Audit Log: OperationName 'Update conditional access policy', ModifiedProperties showing State changed from 'enabled' to 'disabled'. Actor logged as the authenticated Microsoft Graph session user.

  2. Test 2Add a Trusted Named Location (Simulating Scattered Spider TTP)

    Expected signal: Azure AD Audit Log: OperationName 'Add named location', TargetResources showing the new location name and IP range. IsTrusted=true visible in audit details.

  3. Test 3Enumerate Existing Conditional Access Policies

    Expected signal: Azure AD Audit Log: Read operation on conditional access policies. Microsoft Graph API call logged. PowerShell ScriptBlock Log Event ID 4104 with the Get-MgIdentityConditionalAccessPolicy command.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1556.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLL

Related Techniques

T1556Modify Authentication ProcessT1556.006Multi-Factor AuthenticationT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1136.003Cloud AccountT1621Multi-Factor Authentication Request Generation

Same Tactic: Credential Access

Popular Detections