Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure secure score admin MFA

Azure secure score admin MFA

Back
Id9a15c3dd-f72b-49a4-bcb7-94406395661e
RulenameAzure secure score admin MFA
DescriptionThis query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.
SeverityHigh
TacticsImpact
TechniquesT1529
T1498
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
Version1.0.1
Arm template9a15c3dd-f72b-49a4-bcb7-94406395661e.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'

queryPeriod: 6h
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScoreAdminMFAV2'  
name: Azure secure score admin MFA
entityMappings:
- fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
  entityType: Account
- fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
  entityType: SecurityGroup
- fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
  entityType: AzureResource
queryFrequency: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
description: |
    'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'
kind: Scheduled
version: 1.0.1
status: Available
severity: High
relevantTechniques:
- T1529
- T1498
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: 9a15c3dd-f72b-49a4-bcb7-94406395661e