Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List Conditional Access Policy That Was Changed

Wayne Andes 2 min read

Description

This KQL query lists all conditional access policies that have been changed. The modification of authentication processes can be used to create persistence on an cloud account.

Risk

Adversaries can update CA policies to get persistence by removing the necessary strong authentication mechanisms for a account.

Query

Microsoft Sentinel
Kusto
AuditLogs
| where OperationName == "Update conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResources

References

You May Also Like

List On-boarded Devices in Intune and Microsoft Defender for Endpoint

Wayne Andes

List Analytics Rules Efficiency

Wayne Andes

List QR Code URLs in Delivered Inbound Email Messages Detected By by Microsoft Defender XDR

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *