Detects modifications to IAM conditions or policies that alter authentication behavior, such as adding permissive trusted IPs, removing MFA requirements, or changing regional access restrictions. Behavioral detection focuses on anomalous policy updates tied to privileged accounts and subsequent suspicious logon activity from previously blocked regions or devices.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | PutUserPolicy, PutGroupPolicy, PutRolePolicy, CreatePolicyVersion |
| Field | Description |
|---|---|
| MonitoredIAMConditions | Specific condition keys (SourceIp, RequestedRegion, MFAAuthenticated) tuned per environment. |
| TimeWindow | Correlates policy modification with follow-on logins from newly permitted sources. |
| PrivilegedAccounts | List of administrative accounts to prioritize when monitoring for conditional access changes. |
Detects suspicious updates to conditional access or MFA enforcement policies in identity providers such as Entra ID, Okta, or JumpCloud. Focus is on removal of policy blocks, addition of broad exclusions, or registration of adversary-controlled MFA methods, followed by anomalous login activity that takes advantage of the modified policies.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | azure:activity | Update conditionalAccessPolicy |
| Application Log Content (DC0038) | saas:okta | Conditional Access policy rule modified or MFA requirement disabled |
| Field | Description |
|---|---|
| TargetedApplications | Specific SaaS or cloud apps most sensitive to conditional access changes. |
| RiskThresholds | Risk scores or signals that may be tuned for anomaly detection in login behavior. |
| UserContext | Business roles or expected MFA patterns per user/group to reduce false positives. |