Azure secure score admin MFA
Id | 9a15c3dd-f72b-49a4-bcb7-94406395661e |
Rulename | Azure secure score admin MFA |
Description | This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack. |
Severity | High |
Tactics | Impact |
Techniques | T1529 T1498 |
Required data connectors | SenservaPro |
Kind | Scheduled |
Query frequency | 6h |
Query period | 6h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml |
Version | 1.0.1 |
Arm template | 9a15c3dd-f72b-49a4-bcb7-94406395661e.json |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
queryPeriod: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
requiredDataConnectors:
- connectorId: SenservaPro
dataTypes:
- SenservaPro_CL
severity: High
id: 9a15c3dd-f72b-49a4-bcb7-94406395661e
name: Azure secure score admin MFA
description: |
'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'
queryFrequency: 6h
triggerThreshold: 0
status: Available
triggerOperator: gt
tactics:
- Impact
kind: Scheduled
version: 1.0.1
query: |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
entityMappings:
- fieldMappings:
- identifier: Name
columnName: ControlName_s
- identifier: AadTenantId
columnName: TenantId
- identifier: DisplayName
columnName: TenantDisplayName_s
entityType: Account
- fieldMappings:
- identifier: DistinguishedName
columnName: Group_s
entityType: SecurityGroup
- fieldMappings:
- identifier: ResourceId
columnName: SourceSystem
entityType: AzureResource
relevantTechniques:
- T1529
- T1498
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"properties": {
"alertRuleTemplateName": "9a15c3dd-f72b-49a4-bcb7-94406395661e",
"customDetails": null,
"description": "'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'\n",
"displayName": "Azure secure score admin MFA",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ControlName_s",
"identifier": "Name"
},
{
"columnName": "TenantId",
"identifier": "AadTenantId"
},
{
"columnName": "TenantDisplayName_s",
"identifier": "DisplayName"
}
]
},
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "Group_s",
"identifier": "DistinguishedName"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "SourceSystem",
"identifier": "ResourceId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml",
"query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreAdminMFAV2'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498",
"T1529"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}