This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
IdentityProtection.json
367 lines (367 loc) · 13.9 KB
/
IdentityProtection.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
{
"name": "Azure AD Identity Protection",
"versions": {
"attack": "8",
"navigator": "4.2",
"layer": "4.2"
},
"domain": "enterprise-attack",
"description": "Identity Protection is a tool that allows organizations to accomplish three key tasks:\nAutomate the detection and remediation of identity-based risks.\nInvestigate risks using data in the portal.\nExport risk detection data to third-party utilities for further analysis.\n",
"filters": {
"platforms": [
"Linux",
"macOS",
"Windows",
"Office 365",
"Azure AD",
"AWS",
"GCP",
"Azure",
"SaaS",
"PRE",
"Network"
]
},
"sorting": 0,
"layout": {
"layout": "side",
"showID": false,
"showName": true,
"showAggregateScores": false,
"countUnscored": false,
"aggregateFunction": "average"
},
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1078",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control provides a response capability that accompanies its detection capability that can contain and eradicate the impact of this technique. Because this capability varies between containment (federated accounts) and eradication (cloud accounts) and is only able to respond to some of this technique's sub-techniques, it has been scored as Partial."
}
],
"color": "#9305ff",
"score_num": 50,
"score_display": "Partial",
"category": "Mixed"
},
{
"techniqueID": "T1078.004",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives.\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day)."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Significant"
},
{
"name": "comment",
"value": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies."
}
],
"color": "#5c00a3",
"score_num": 100,
"score_display": "Significant",
"category": "Mixed"
},
{
"techniqueID": "T1078.002",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial.\n\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day)."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "Response Type: Containment\nSupports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset)."
}
],
"color": "#9305ff",
"score_num": 50,
"score_display": "Partial",
"category": "Mixed"
},
{
"techniqueID": "T1606",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control can be effective at detecting forged web credentials because it uses environmental properties (e.g. IP address, device info, etc.) to detect risky users and sign-ins even when valid credentials are utilized. It provides partial coverage of this technique's sub-techniques and therefore has been assessed a Partial score."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "Provides Significant response capabilities for one of this technique's sub-techniques (SAML tokens)."
}
],
"color": "#9305ff",
"score_num": 50,
"score_display": "Partial",
"category": "Mixed"
},
{
"techniqueID": "T1606.002",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Significant"
},
{
"name": "comment",
"value": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies."
}
],
"color": "#5c00a3",
"score_num": 100,
"score_display": "Significant",
"category": "Mixed"
},
{
"techniqueID": "T1110",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Minimal"
},
{
"name": "comment",
"value": "This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Minimal"
},
{
"name": "comment",
"value": "Provides significant response capabilities for one of this technique's sub-techniques (Password Spray). Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score."
}
],
"color": "#bf6bff",
"score_num": 10,
"score_display": "Minimal",
"category": "Mixed"
},
{
"techniqueID": "T1110.003",
"enabled": true,
"showSubtechniques": false,
"metadata": [
{
"name": "category",
"value": "Detect"
},
{
"name": "value",
"value": "Partial"
},
{
"name": "comment",
"value": "This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours)."
},
{
"divider": true
},
{
"name": "category",
"value": "Respond"
},
{
"name": "value",
"value": "Significant"
},
{
"name": "comment",
"value": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies."
}
],
"color": "#5c00a3",
"score_num": 100,
"score_display": "Significant",
"category": "Mixed"
}
],
"gradient": {
"colors": [
"#ff6666",
"#ffe766",
"#8ec843"
],
"minValue": 0,
"maxValue": 100
},
"legendItems": [
{
"label": "Protect - Minimal",
"color": "#9CBA7F"
},
{
"label": "Protect - Partial",
"color": "#659D32"
},
{
"label": "Protect - Significant",
"color": "#7FFF00"
},
{
"label": "Detect - Minimal",
"color": "#AEEEEE"
},
{
"label": "Detect - Partial",
"color": "#5F9F9F"
},
{
"label": "Detect - Significant",
"color": "#00FFFF"
},
{
"label": "Respond - Minimal",
"color": "#ff6b6b"
},
{
"label": "Respond - Partial",
"color": "#ff0505"
},
{
"label": "Respond - Significant",
"color": "#b80000"
},
{
"label": "Mixed - Minimal",
"color": "#bf6bff"
},
{
"label": "Mixed - Partial",
"color": "#9305ff"
},
{
"label": "Mixed - Significant",
"color": "#5c00a3"
}
],
"metadata": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true,
"selectSubtechniquesWithParent": false
}