[New Rule] Azure Conditional Access Policy Modified

[threat-punter]

Issues

Resolves #143

Summary

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[bm11100]

Could we add a technique like Account Manipulation to this? event.outcome didn't appear to populate when I looked at the results during our test, not sure if that is everytime though. What about adding azure.activitylogs.properties.result:success?

update - event outcome doesn't populate with all activitylogs

[threat-punter]

Could we add a technique like Account Manipulation to this? event.outcome didn't appear to populate when I looked at the results during our test, not sure if that is everytime though. What about adding azure.activitylogs.properties.result:success?

update - event outcome doesn't populate with all activitylogs

I added the ATT&CK metadata to the rule. Let me check on the ECS mapping before I include that non-ECS field in the rule. Thanks

[threat-punter]

See Beats issue elastic/beats#20990 re an update that's required for us to use event.outcome in this rule.

Confirmed that the updated query matches the expected events, but the tests are failing when I add and azure.activitylogs.properties.result:success to the query. 🤔

event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:"Update policy" and azure.activitylogs.properties.result:success

[threat-punter]

This rule can be merged when elastic/beats#20990 is resolved.

[threat-punter]

PR elastic/beats#20998 has been merged to ensure that field azure.activitylogs.properties.result is renamed to event.outcome. This PR can be merged. When a Filebeat 7.10 BC is available, I'll make this it's working as expected.

[bm11100]

We should update this to account for the AuditLogs as well

event.module:azure and (event.dataset:azure.activitylogs or event.dataset:azure.auditlogs) and (azure.activitylogs.operation_name:"Update policy" or azure.auditlogs.operation_name:"Update policy")

[threat-punter]

I took the liberty of tweaking rule, Possible Consent Grant Attack via Azure-Registered Application in this PR too. This rule was just merged. I amended the query so that it searches both the Azure audit logs and activity logs, as this event appears in both of those logs.

I'll request a review of this PR again, but I did confirm that both queries in this PR match the intended events.

[bm11100]

lgtm, with the changes going into 7.10 the activity logs will eval true as well

[bm11100]

🔥