Azure secure score PW age policy new

Back


Id	88C9A5E0-31EC-490B-82E5-A286D9B99A67
Rulename	Azure secure score PW age policy new
Description	This query searches for having found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1555 T1606 T1040
Required data connectors	SenservaPro
Kind	Scheduled
Query frequency	6h
Query period	6h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/PasswordAgePolicyNew.yaml
Version	1.0.0
Arm template	88C9A5E0-31EC-490B-82E5-A286D9B99A67.json

KQL

SenservaPro_CL
| where ControlName_s == 'AzureSecureScorePWAgePolicyNew'

YAML

version: 1.0.0
name: Azure secure score PW age policy new
severity: Medium
queryFrequency: 6h
kind: Scheduled
queryPeriod: 6h
description: |
  'This query searches for having found that when periodic password resets are enforced,
   passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. 
   If a user creates a strong password (long, complex and without any pragmatic words present)
   it should remain just as strong in the future as it is today. It is Microsoft's official security position
   to not expire passwords periodically without a specific reason, and recommends 
   that cloud-only tenants set the password policy to never expire.'  
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScorePWAgePolicyNew'  
tactics:
- CredentialAccess
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
- entityType: SecurityGroup
  fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
- entityType: AzureResource
  fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/PasswordAgePolicyNew.yaml
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
status: Available
relevantTechniques:
- T1555
- T1606
- T1040
id: 88C9A5E0-31EC-490B-82E5-A286D9B99A67

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/88C9A5E0-31EC-490B-82E5-A286D9B99A67')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/88C9A5E0-31EC-490B-82E5-A286D9B99A67')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Azure secure score PW age policy new",
        "description": "'This query searches for having found that when periodic password resets are enforced,\n passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. \n If a user creates a strong password (long, complex and without any pragmatic words present)\n it should remain just as strong in the future as it is today. It is Microsoft's official security position\n to not expire passwords periodically without a specific reason, and recommends \n that cloud-only tenants set the password policy to never expire.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScorePWAgePolicyNew'\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555",
          "T1606",
          "T1040"
        ],
        "alertRuleTemplateName": "88C9A5E0-31EC-490B-82E5-A286D9B99A67",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "ControlName_s",
                "identifier": "Name"
              },
              {
                "columnName": "TenantId",
                "identifier": "AadTenantId"
              },
              {
                "columnName": "TenantDisplayName_s",
                "identifier": "DisplayName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "Group_s",
                "identifier": "DistinguishedName"
              }
            ],
            "entityType": "SecurityGroup"
          },
          {
            "fieldMappings": [
              {
                "columnName": "SourceSystem",
                "identifier": "ResourceId"
              }
            ],
            "entityType": "AzureResource"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/PasswordAgePolicyNew.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}