Adversaries may modify cloud policy configurations to gain unauthorized access or escalate privileges within Azure environments. SOC teams should proactively hunt for these changes to identify potential lateral movement or persistence tactics early.
KQL Query
CloudAppEvents
| where ActionType in ("Update policy.", "Add policy.", "Remove-CrossTenantAccessPolicy", "Add policy to service principal.", "Write PolicyAssignments", "Update authorization policy.", "Delete policy.", "Add owner to policy.", "Write PolicyExemptions", "Remove-LabelPolicy")
| mv-expand ActivityObjects
| where ActivityObjects.Name != "DisplayName"
| where RawEventData["status"] == "Succeeded"
| extend AccountMoniker = RawEventData["AccountMoniker"], AccountMonikerLocation = RawEventData["AccountMonikerLocation"], EventName = RawEventData["EventName"], EventNamespace = RawEventData["EventNamespace"], Role = RawEventData["Role"], RoleInstance = RawEventData["RoleInstance"], RoleLocation = RawEventData["RoleLocation"], HttpRequest = RawEventData["httpRequest"]
| summarize Count = count() by tostring(AccountMoniker), tostring(AccountMonikerLocation), AccountDisplayName, IPAddress, ActionType, ActivityType, tostring(EventName), tostring(EventNamespace), tostring(Role), tostring(RoleInstance), tostring(RoleLocation), tostring(HttpRequest)
id: fcd4d774-a0c2-4d12-9e9f-f51dfc310873
name: Policy configuration changes for CloudApp Events
description: |
"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old value and new value are different for every property except for minor property changes such as Display Name."
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DomainPolicyModification
relevantTechniques:
- T1484
query: |
CloudAppEvents
| where ActionType in ("Update policy.", "Add policy.", "Remove-CrossTenantAccessPolicy", "Add policy to service principal.", "Write PolicyAssignments", "Update authorization policy.", "Delete policy.", "Add owner to policy.", "Write PolicyExemptions", "Remove-LabelPolicy")
| mv-expand ActivityObjects
| where ActivityObjects.Name != "DisplayName"
| where RawEventData["status"] == "Succeeded"
| extend AccountMoniker = RawEventData["AccountMoniker"], AccountMonikerLocation = RawEventData["AccountMonikerLocation"], EventName = RawEventData["EventName"], EventNamespace = RawEventData["EventNamespace"], Role = RawEventData["Role"], RoleInstance = RawEventData["RoleInstance"], RoleLocation = RawEventData["RoleLocation"], HttpRequest = RawEventData["httpRequest"]
| summarize Count = count() by tostring(AccountMoniker), tostring(AccountMonikerLocation), AccountDisplayName, IPAddress, ActionType, ActivityType, tostring(EventName), tostring(EventNamespace), tostring(Role), tostring(RoleInstance), tostring(RoleLocation), tostring(HttpRequest)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountDisplayName
- identifier: UPNSuffix
columnName: EntityUPNSuffix
- identifier: FullName
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
kind: Scheduled| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Updating CloudApp Event Policies
Description: A scheduled job runs nightly to update event policies in CloudApp for compliance or maintenance purposes.
Filter/Exclusion: cloudapp_event_policy_update_job or job_name = "NightlyPolicySync"
Scenario: Admin User Modifying Event Policies via the CloudApp Console
Description: A system administrator manually adjusts event policy configurations through the CloudApp web interface during routine maintenance.
Filter/Exclusion: user = "admin_user" OR user = "cloudadmin"
Scenario: Automated Policy Sync Between CloudApp and SIEM Tools
Description: A synchronization tool (e.g., Splunk or ELK) pushes updated event policies from CloudApp to the SIEM system.
Filter/Exclusion: source = "cloudapp_sync_tool" OR tool = "splunk_cloudapp_sync"
Scenario: CloudApp Event Policy Changes via API by DevOps Team
Description: DevOps engineers use the CloudApp API to programmatically update event policies as part of a CI/CD pipeline.
Filter/Exclusion: api_call = "cloudapp_policy_update" OR source = "devops_pipeline"
Scenario: User-Driven Event Policy Adjustments for Custom Monitoring
Description: A team member configures custom event policies in CloudApp to monitor specific user activities or application behaviors.
Filter/Exclusion: user = "custom_monitoring_team" OR policy_type = "custom_monitoring"