HuntingTest

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspace'), '/AADConditionalAccessDisabled')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "eTag": "*",
        "displayName": "Azure DevOps- AAD Conditional Access Disabled",
        "category": "Hunting Queries",
        "query": "AzureDevOpsAuditing\n| where OperationName ==\"OrganizationPolicy.PolicyValueUpdated\"\n| where Data.PolicyName == \"Policy.EnforceAADConditionalAccess\"\n| where Data.PolicyValue == \"OFF\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
        "version": 1,
        "tags": [
          {
            "name": "description",
            "value": "This hunting query identifies Azure DevOps activities where organization AADConditionalAccess policy disable by the admin"
          },
          {
            "name": "tactics",
            "value": "Persistence,DefenseEvasion"
          },
          {
            "name": "relevantTechniques",
            "value": "T1098,T1562"
          }
        ]
      }
    }
  ]
}