Azure secure score admin MFA
Id | 9a15c3dd-f72b-49a4-bcb7-94406395661e |
Rulename | Azure secure score admin MFA |
Description | This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack. |
Severity | High |
Tactics | Impact |
Techniques | T1529 T1498 |
Required data connectors | SenservaPro |
Kind | Scheduled |
Query frequency | 6h |
Query period | 6h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml |
Version | 1.0.0 |
Arm template | 9a15c3dd-f72b-49a4-bcb7-94406395661e.json |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
triggerOperator: gt
id: 9a15c3dd-f72b-49a4-bcb7-94406395661e
queryFrequency: 6h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ControlName_s
identifier: Name
- columnName: TenantId
identifier: AadTenantId
- columnName: TenantDisplayName_s
identifier: DisplayName
- entityType: SecurityGroup
fieldMappings:
- columnName: Group_s
identifier: DistinguishedName
- entityType: AzureResource
fieldMappings:
- columnName: SourceSystem
identifier: ResourceId
requiredDataConnectors:
- dataTypes:
- SenservaPro_CL
connectorId: SenservaPro
severity: High
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
query: |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'
description: |
'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder
for attackers to access accounts. Administrative roles have higher permissions than typical users.
If any of those accounts are compromised, critical devices and data is open to attack.'
name: Azure secure score admin MFA
relevantTechniques:
- T1529
- T1498
tactics:
- Impact
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a15c3dd-f72b-49a4-bcb7-94406395661e')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Azure secure score admin MFA",
"description": "'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder\n for attackers to access accounts. Administrative roles have higher permissions than typical users.\n If any of those accounts are compromised, critical devices and data is open to attack.'\n",
"severity": "High",
"enabled": true,
"query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreAdminMFAV2'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1529",
"T1498"
],
"alertRuleTemplateName": "9a15c3dd-f72b-49a4-bcb7-94406395661e",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ControlName_s"
},
{
"identifier": "AadTenantId",
"columnName": "TenantId"
},
{
"identifier": "DisplayName",
"columnName": "TenantDisplayName_s"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "DistinguishedName",
"columnName": "Group_s"
}
],
"entityType": "SecurityGroup"
},
{
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "SourceSystem"
}
],
"entityType": "AzureResource"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}