From 78abfd5700cfb247a5309eef861a559989e509fa Mon Sep 17 00:00:00 2001
From: cyb3rjy0t <cyberjyot@gmail.com>
Date: Wed, 21 Aug 2024 08:46:20 -0400
Subject: [PATCH] Merge PR #4977 from @cyb3rjy0t - Add `User Risk and MFA
 Registration Policy Updated`

new: User Risk and MFA Registration Policy Updated

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...pdate_risk_and_mfa_registration_policy.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml

diff --git a/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml b/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml
new file mode 100644
index 00000000000..1ecd54663b3
--- /dev/null
+++ b/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml
@@ -0,0 +1,25 @@
+title: User Risk and MFA Registration Policy Updated
+id: d4c7758e-9417-4f2e-9109-6125d66dabef
+status: experimental
+description: |
+    Detects changes and updates to the user risk and MFA registration policy.
+    Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
+references:
+    - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
+    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
+author: Harjot Singh (@cyb3rjy0t)
+date: 2024-08-13
+tags:
+    - attack.persistence
+logsource:
+    product: azure
+    service: auditlogs
+detection:
+    selection:
+        LoggedByService: 'AAD Management UX'
+        Category: 'Policy'
+        OperationName: 'Update User Risk and MFA Registration Policy'
+    condition: selection
+falsepositives:
+    - Known updates by administrators.
+level: high