Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Hunting query that identifies Conditional Access policies that have been disabled or deleted. An attacker who obtains privileged access to an Entra ID tenant will commonly disable or delete CA policies to remove multi-factor authentication requirements, trusted location restrictions, or compliant-device conditions before proceeding with lateral movement or data exfiltration. Disabling a CA policy is a silent, low-noise action that does not interrupt active sessions and may go unnoticed without d
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 0456a783-2fd9-4e07-aa05-4aa0afdab0a6 |
| Tactics | DefenseEvasion, Persistence |
| Techniques | T1562.001, T1556 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/ConditionalAccessPolicyDisabledOrDeleted.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊