Techniques
Sample rules
CA Policy Removed by Non Approved Actor
- source: sigma
- technicques:
- t1548
- t1556
Description
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
Detection logic
condition: selection
selection:
properties.message: Delete conditional access policy
New CA Policy by Non-approved Actor
- source: sigma
- technicques:
- t1548
Description
Monitor and alert on conditional access changes.
Detection logic
condition: selection
selection:
properties.message: Add conditional access policy
CA Policy Updated by Non Approved Actor
- source: sigma
- technicques:
- t1548
- t1556
Description
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare “old” vs “new” value.
Detection logic
condition: selection
selection:
properties.message: Update conditional access policy