Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWS Security Hub - Detect root user lacking MFA

Back
Id6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44
RulenameAWS Security Hub - Detect root user lacking MFA
DescriptionThis query detects AWS accounts where the root user does not have multi-factor authentication (MFA) enabled, using AWS Security Hub control IAM.9 findings.

Lack of MFA on the root user increases the risk of unauthorized access and privilege abuse.
SeverityHigh
TacticsPrivilegeEscalation
Persistence
CredentialAccess
DefenseEvasion
TechniquesT1098
T1110
T1556.006
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMRootUserMFADisabled.yaml
Version1.0.0
Arm template6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.9"
  or tostring(ComplianceSecurityControlId) == "IAM.9"
| extend RootUserARN = tostring(Resources[0].Id)
| summarize TimeGenerated = max(TimeGenerated)
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, RootUserARN
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.9"
    or tostring(ComplianceSecurityControlId) == "IAM.9"
  | extend RootUserARN = tostring(Resources[0].Id)
  | summarize TimeGenerated = max(TimeGenerated)
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, RootUserARN  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMRootUserMFADisabled.yaml
description: |
  This query detects AWS accounts where the root user does not have multi-factor authentication (MFA) enabled, using AWS Security Hub control IAM.9 findings.
  Lack of MFA on the root user increases the risk of unauthorized access and privilege abuse.  
queryPeriod: 1h
triggerOperator: gt
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} root user lacks MFA
  alertDescriptionFormat: 'AWS Account {{AwsAccountId}} has root user without MFA (Resource: {{RootUserARN}}).'
queryFrequency: 1h
version: 1.0.0
id: 6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44
tactics:
- PrivilegeEscalation
- Persistence
- CredentialAccess
- DefenseEvasion
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AwsAccountId
  - identifier: CloudAppAccountId
    columnName: RootUserARN
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
name: AWS Security Hub - Detect root user lacking MFA
severity: High
customDetails:
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
  ComplianceControlId: ComplianceSecurityControlId
  RootUserARN: RootUserARN
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1098
- T1110
- T1556.006
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has root user without MFA (Resource: {{RootUserARN}}).",
          "alertDisplayNameFormat": "AWS Account {{AwsAccountId}} root user lacks MFA"
        },
        "alertRuleTemplateName": "6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion",
          "RootUserARN": "RootUserARN"
        },
        "description": "This query detects AWS accounts where the root user does not have multi-factor authentication (MFA) enabled, using AWS Security Hub control IAM.9 findings.\nLack of MFA on the root user increases the risk of unauthorized access and privilege abuse.\n",
        "displayName": "AWS Security Hub - Detect root user lacking MFA",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "RootUserARN",
                "identifier": "CloudAppAccountId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMRootUserMFADisabled.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/IAM.9\"\n  or tostring(ComplianceSecurityControlId) == \"IAM.9\"\n| extend RootUserARN = tostring(Resources[0].Id)\n| summarize TimeGenerated = max(TimeGenerated)\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId, RootUserARN\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1556.006"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          "PCI DSS v3.2.1",
          "NIST 800-53 r5",
          "CIS AWS Foundations Benchmark v1.4.0"
        ],
        "techniques": [
          "T1098",
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}