Device Registration Policy modification

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Abuse Elevation Control Mechanism (T1548)
Severity	Informational

Description

An identity changed the Device Registration policy.

Attacker's Goals

An attacker attempts to change Active Directory configuration for persistence or defense evasion.
With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.

Investigative actions

Check what policy has been changed.
Check whether the user changing the configuration is permitted to perform such actions.

Variations

A user modified the Device Registration Policy for the first time

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Abuse Elevation Control Mechanism (T1548)
Severity	Low

Description

An identity changed the Device Registration policy.

Attacker's Goals

An attacker attempts to change Active Directory configuration for persistence or defense evasion.
With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.

Investigative actions

Check what policy has been changed.
Check whether the user changing the configuration is permitted to perform such actions.