Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Azure Conditional Access Policy Modified #143

Closed
threat-punter opened this issue Aug 14, 2020 · 0 comments · Fixed by #237
Closed

[New Rule] Azure Conditional Access Policy Modified #143

threat-punter opened this issue Aug 14, 2020 · 0 comments · Fixed by #237
Assignees
@threat-punter
Labels
Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule v7.10.0

Comments

@threat-punter
Copy link
Contributor

threat-punter commented Aug 14, 2020
edited
Loading

Description

Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.

event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:"Update policy"

Required Info

  • Eventing Sources:

filebeat-*

  • Target Operating Systems:
  • Platforms

Azure

  • Target ECS Version: 1.5.0
  • New fields required in ECS for this? No
  • Related issues or PRs None

Optional Info

Example Data

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@threat-punter threat-punter

Labels
Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[New Rule] Azure Conditional Access Policy Modified threat-punter/detection-rules
1 participant
@threat-punter