Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure secure score MFA registration V2

Azure secure score MFA registration V2

Back
Id8EB2B20A-BF64-4DCC-9D98-1AD559502C00
RulenameAzure secure score MFA registration V2
DescriptionThis query searches for multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.
SeverityMedium
TacticsCredentialAccess
TechniquesT1056
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/MFARegistration.yaml
Version1.0.1
Arm template8EB2B20A-BF64-4DCC-9D98-1AD559502C00.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreMFARegistrationV2'

queryPeriod: 6h
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScoreMFARegistrationV2'  
name: Azure secure score MFA registration V2
entityMappings:
- fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
  entityType: Account
- fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
  entityType: SecurityGroup
- fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
  entityType: AzureResource
queryFrequency: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/MFARegistration.yaml
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
description: |
    'This query searches for multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.'
kind: Scheduled
version: 1.0.1
status: Available
severity: Medium
relevantTechniques:
- T1056
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
id: 8EB2B20A-BF64-4DCC-9D98-1AD559502C00