Closed cygnetix closed 1 month ago
Hi team,
I noticed that azure_aad_secops_ca_policy_updatedby_bad_actor.yml uses a list (keywords) to detect when a conditional access policy has been modified, while similar rules such as azure_aad_secops_ca_policy_removedby_bad_actor.yml use a map (selection).
This is a simple PR to update azure_aad_secops_ca_policy_updatedby_bad_actor.yml for the sake of consistency.
update: CA Policy Updated by Non Approved Actor - detect using a map of fields instead of a list
N/A
Summary of the Pull Request
Hi team,
I noticed that azure_aad_secops_ca_policy_updatedby_bad_actor.yml uses a list (keywords) to detect when a conditional access policy has been modified, while similar rules such as azure_aad_secops_ca_policy_removedby_bad_actor.yml use a map (selection).
This is a simple PR to update azure_aad_secops_ca_policy_updatedby_bad_actor.yml for the sake of consistency.
Changelog
update: CA Policy Updated by Non Approved Actor - detect using a map of fields instead of a list
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions
N/A