Skip to content

vladjoh/CA-Monitoring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

6 Commits
CA-Policy-Created.kql
CA-Policy-Created.kql
Β 
Β 
CA-Policy-Modified.kql
CA-Policy-Modified.kql
Β 
Β 
CA-Policy_Deleted.kql
CA-Policy_Deleted.kql
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

CA-Monitoring

Detection KQL queries to detect deletion, modification and creation of Conditional Access policies.

Queries

🟒 CA-Policy-Created.kql

Detects when a new Conditional Access policy is created. Adds a RiskFlag that automatically highlights if the policy was created by an app or service principal (no UPN) rather than a human.

🟑 CA-Policy-Modified.kql

Detects when an existing Conditional Access policy is changed. Uses mv-expand to unpack every individual field that changed, giving you a proper before/after diff with OldValue and NewValue per row. Also auto-flags πŸ”΄ High-Impact Field Changed when critical fields like state, conditions, or grantControls are touched.

πŸ”΄ CA-Policy-Deleted.kql

Detects when a Conditional Access policy is soft deleted. Adds a RiskFlag that automatically highlights if the deletion was performed by an app or service principal (no UPN) rather than a human.

Requirements

  • Microsoft Entra ID P1
  • Log Analytics Workspace with AuditLogs streaming enabled
  • Azure Monitor alert rule per query
  • Action Group with Email / SMS ot both

For more info how to setup visit: https://www.need4.cloud/post/monitoring-conditional-access-policies-in-entra

About

Detection KQL queries to detect deletion, modifications and creation of Conditional Access policies.

Topics

monitoring conditional-access kql entra-id

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors