-
Notifications
You must be signed in to change notification settings - Fork 70
Alerts
Alert rule name: Emergency access account usage detected
Description: During the last 5 minutes, sign-in log entries for an emergency access account were detected.
SigninLogs
| where UserId == "4a5b13c6-9b00-4235-936f-b95bb060422b"
Alert rule name: Conditional access configuration changed
Description: In the last 5 minutes the conditional access configuration was changed.
AuditLogs
| where ActivityDisplayName == "Add conditional access policy" or ActivityDisplayName == "Update conditional access policy" or ActivityDisplayName == "Delete conditional access policy"
Note: Currently there is no dedicated activity for the deletion of conditional access policies, hence the alert is based on the more generic policy object which may cause additional alerts if other policy objects are deleted.
Alert rule name: Accounts added to conditional access exclusion
Description: In the last 5 minutes a significant number of accounts have been added to Condtional Access exclusions.
AuditLogs
| where Category == "GroupManagement" and OperationName == "Add member to group"
| extend Group = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where Group startswith "CA_Exclusion"
Note: This alert is based on the display name - an attacker with appropriate privileges could alter the display name to circumvent this alert.