Azure secure score block legacy authentication
Id | C27BB559-28C5-4924-A7DA-3BF04CD02C8F |
Rulename | Azure secure score block legacy authentication |
Description | This query searches for most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 do not support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multi-factor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols. |
Severity | High |
Tactics | CredentialAccess |
Techniques | T1212 T1556 |
Required data connectors | SenservaPro |
Kind | Scheduled |
Query frequency | 6h |
Query period | 6h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/BlockLegacyAuthentication.yaml |
Version | 1.0.1 |
Arm template | C27BB559-28C5-4924-A7DA-3BF04CD02C8F.json |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreBlockLegacyAuthentication'
queryFrequency: 6h
query: |
SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreBlockLegacyAuthentication'
description: |
'This query searches for most compromising sign-in attempts come from legacy authentication.
Older office clients such as Office 2010 do not support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3.
Legacy authentication does not support multi-factor authentication (MFA).
Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: ControlName_s
- identifier: AadTenantId
columnName: TenantId
- identifier: DisplayName
columnName: TenantDisplayName_s
- entityType: SecurityGroup
fieldMappings:
- identifier: DistinguishedName
columnName: Group_s
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourceSystem
severity: High
queryPeriod: 6h
kind: Scheduled
version: 1.0.1
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- SenservaPro_CL
connectorId: SenservaPro
name: Azure secure score block legacy authentication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/BlockLegacyAuthentication.yaml
id: C27BB559-28C5-4924-A7DA-3BF04CD02C8F
relevantTechniques:
- T1212
- T1556
status: Available
tactics:
- CredentialAccess
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/C27BB559-28C5-4924-A7DA-3BF04CD02C8F')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/C27BB559-28C5-4924-A7DA-3BF04CD02C8F')]",
"properties": {
"alertRuleTemplateName": "C27BB559-28C5-4924-A7DA-3BF04CD02C8F",
"customDetails": null,
"description": "'This query searches for most compromising sign-in attempts come from legacy authentication. \n Older office clients such as Office 2010 do not support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. \n Legacy authentication does not support multi-factor authentication (MFA).\n Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.'\n",
"displayName": "Azure secure score block legacy authentication",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ControlName_s",
"identifier": "Name"
},
{
"columnName": "TenantId",
"identifier": "AadTenantId"
},
{
"columnName": "TenantDisplayName_s",
"identifier": "DisplayName"
}
]
},
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "Group_s",
"identifier": "DistinguishedName"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "SourceSystem",
"identifier": "ResourceId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/BlockLegacyAuthentication.yaml",
"query": "SenservaPro_CL\n| where ControlName_s == 'AzureSecureScoreBlockLegacyAuthentication'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1212",
"T1556"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}