Azure secure score admin MFA
Id | 9a15c3dd-f72b-49a4-bcb7-94406395661e |
Rulename | Azure secure score admin MFA |
Description | This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack. |
Severity | High |
Tactics | Impact |
Techniques | T1529 T1498 |
Required data connectors | SenservaPro |
Kind | Scheduled |
Query frequency | 6h |
Query period | 6h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml |
Version | 1.0.1 |
Arm template | 9a15c3dd-f72b-49a4-bcb7-94406395661e.json |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
description: |
'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- SenservaPro_CL
connectorId: SenservaPro
query: |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
name: Azure secure score admin MFA
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: ControlName_s
- identifier: AadTenantId
columnName: TenantId
- identifier: DisplayName
columnName: TenantDisplayName_s
- entityType: SecurityGroup
fieldMappings:
- identifier: DistinguishedName
columnName: Group_s
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourceSystem
kind: Scheduled
severity: High
relevantTechniques:
- T1529
- T1498
tactics:
- Impact
queryFrequency: 6h
version: 1.0.1
queryPeriod: 6h
triggerThreshold: 0
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
id: 9a15c3dd-f72b-49a4-bcb7-94406395661e
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"properties": {
"alertRuleTemplateName": "9a15c3dd-f72b-49a4-bcb7-94406395661e",
"customDetails": null,
"description": "'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'\n",
"displayName": "Azure secure score admin MFA",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ControlName_s",
"identifier": "Name"
},
{
"columnName": "TenantId",
"identifier": "AadTenantId"
},
{
"columnName": "TenantDisplayName_s",
"identifier": "DisplayName"
}
]
},
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "Group_s",
"identifier": "DistinguishedName"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "SourceSystem",
"identifier": "ResourceId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml",
"query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreAdminMFAV2'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498",
"T1529"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}