LoFP LoFP / misconfigured role permissions

Techniques

Sample rules

CA Policy Updated by Non Approved Actor

Description

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare “old” vs “new” value.

Detection logic

condition: keywords
keywords:
- Update conditional access policy

CA Policy Removed by Non Approved Actor

Description

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Detection logic

condition: selection
selection:
  properties.message: Delete conditional access policy

New CA Policy by Non-approved Actor

Description

Monitor and alert on conditional access changes.

Detection logic

condition: selection
selection:
  properties.message: Add conditional access policy