Detect Conditional Access Policies in Sumo Logic CSE
Adversaries may disable or modify Conditional Access Policies (CAP) to enable persistent access to compromised accounts. Conditional Access applies additional verification based on IP, device enrollment, MFA, and risk-based signals. Attackers modify CAPs by adding trusted IP ranges (Scattered Spider added attacker-controlled IPs), removing MFA requirements, adding user exclusions, or disabling policies. Storm-0501 circumvented CAPs using hybrid-joined servers. In AWS/GCP, IAM condition attributes can be weakened by removing IP or time-of-day restrictions.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.009 Conditional Access Policies
- Canonical reference
- https://attack.mitre.org/techniques/T1556/009/
Sumo Detection Query
_sourceCategory=azure/active_directory/audit
| json "operationName" as OperationName nodrop
| json "properties.loggedByService" as LoggedByService nodrop
| json "properties.category" as Category nodrop
| json "properties.initiatedBy.user.userPrincipalName" as Actor nodrop
| json "properties.targetResources[0].displayName" as PolicyName nodrop
| json "properties.result" as Result nodrop
| where (LoggedByService = "Conditional Access" OR Category = "Policy")
| where OperationName in ("Add conditional access policy",
"Update conditional access policy",
"Delete conditional access policy",
"Add named location",
"Update named location",
"Delete named location")
| where Result = "success"
| json field=_raw "properties.targetResources[0].modifiedProperties[0].displayName" as PropertyName nodrop
| json field=_raw "properties.targetResources[0].modifiedProperties[0].oldValue" as OldValue nodrop
| json field=_raw "properties.targetResources[0].modifiedProperties[0].newValue" as NewValue nodrop
| if (OperationName = "Delete conditional access policy", "CRITICAL",
if (OperationName = "Update conditional access policy" and NewValue contains "disabled", "CRITICAL",
if (OperationName matches "*named location*" and NewValue contains "trusted", "HIGH",
if (PropertyName contains "grantControls", "HIGH", "MEDIUM")))) as Risk
| fields _messageTime, Actor, OperationName, PolicyName, PropertyName, OldValue, NewValue, Risk
| sort by Risk, _messageTime descDetects Azure AD Conditional Access Policy and Named Location modifications ingested into Sumo Logic from the Azure Active Directory audit log pipeline. Parses JSON payload fields directly from the raw message to extract the initiating actor, target policy name, and changed properties. Risk tier is derived via nested if-expressions: deletion and disabling updates are CRITICAL, trusted location and grantControl changes are HIGH, new policy creation is MEDIUM.
Data Sources
Required Tables
False Positives & Tuning
- Security engineering teams deploying new Conditional Access baselines from policy templates (e.g., Microsoft security defaults migration)
- Automated provisioning pipelines using service principals to manage named locations for new cloud regions or partner networks
- Break-glass runbook executions that temporarily exclude emergency access accounts from MFA policies before re-enabling them
Other platforms for T1556.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable a Non-Critical Conditional Access Policy
Expected signal: Azure AD Audit Log: OperationName 'Update conditional access policy', ModifiedProperties showing State changed from 'enabled' to 'disabled'. Actor logged as the authenticated Microsoft Graph session user.
- Test 2Add a Trusted Named Location (Simulating Scattered Spider TTP)
Expected signal: Azure AD Audit Log: OperationName 'Add named location', TargetResources showing the new location name and IP range. IsTrusted=true visible in audit details.
- Test 3Enumerate Existing Conditional Access Policies
Expected signal: Azure AD Audit Log: Read operation on conditional access policies. Microsoft Graph API call logged. PowerShell ScriptBlock Log Event ID 4104 with the Get-MgIdentityConditionalAccessPolicy command.
References (5)
- https://attack.mitre.org/techniques/T1556/009/
- https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
- https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.009/T1556.009.md
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
Unlock Pro Content
Get the full detection package for T1556.009 including response playbook, investigation guide, and atomic red team tests.