Monday, July 7, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

Build+Break+Secure

Where Every Failure Becomes A Manual

+ SECUREKusto Query LanguageMicrosoft Sentinel

List Conditional Access Policy That Have Been Deleted

Wayne Andes 49 Views 0 Comments 1 min read

Description

This KQL query lists all conditional access policies that have been deleted. The modification of authentication processes can be used to create persistence on an cloud account.

Risk

Adversaries can delete CA policies to get persistence.

Query

Microsoft Sentinel
Kusto
AuditLogs
| where OperationName == "Delete conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResources

References

You May Also Like

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Wayne Andes 0

Hunt For Suspicious SMB Sessions

Wayne Andes 0

Hunt For All Executed LDAP Queries From A Compromised Device

Wayne Andes 0

Leave a Reply

Your email address will not be published. Required fields are marked *