Unusual Conditional Access operation for an identity

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-11-09
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Abuse Elevation Control Mechanism (T1548)
Severity	Informational
Response playbooks	Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

An identity attempted to add or update an Azure AD Conditional Access policy.

Attacker's Goals

An attacker attempts to change Active Directory configuration for persistence or defense evasion.
With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.

Investigative actions

Check implications of the updated policy.
Check whether the user changing the configuration is permitted to perform such actions.

Variations

Suspicious Conditional Access operation for an identity

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Abuse Elevation Control Mechanism (T1548)
Severity	Low
Response playbooks	Suspicious Conditional Access operation for an identity

Description

An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy.

Attacker's Goals

An attacker attempts to change Active Directory configuration for persistence or defense evasion.
With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.

Investigative actions

Check implications of the updated policy.
Check whether the user changing the configuration is permitted to perform such actions.