You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Microsoft Entra ID Connect | Device |Medium| The Microsoft Entra ID Connect (formerly known as AAD Connect) server is responsible for syncing on-premises directory data and passwords to the Microsoft Entra ID tenant. |
34
-
| ADCS | Device |Medium| ADCS server allows administrators to fully implement a public key infrastructure (PKI) and issue digital certificates that can be used to secure multiple resources on a network. Moreover, ADCS can be used for various security solutions, such as SSL encryption, user authentication, and secure email. |
33
+
| Microsoft Entra ID Connect | Device |High| The Microsoft Entra ID Connect (formerly known as AAD Connect) server is responsible for syncing on-premises directory data and passwords to the Microsoft Entra ID tenant. |
34
+
| ADCS | Device |High| ADCS server allows administrators to fully implement a public key infrastructure (PKI) and issue digital certificates that can be used to secure multiple resources on a network. Moreover, ADCS can be used for various security solutions, such as SSL encryption, user authentication, and secure email. |
35
35
| ADFS | Device | High | ADFS server provides users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity. |
36
36
| Backup | Device | Medium | Backup server is responsible for safeguarding data through regular backups, ensuring data protection and disaster recovery readiness. |
37
37
| Domain Admin Device | Device | High | Domain admin devices are devices that one or more of the domain admins are frequently logged into. These devices are likely to store related files, documents, and credentials used by the domain admins. _Note: We apply a logic to identify devices belonging to an admin based on multiple factors, including the frequent usage of administrative tools._|
38
-
| Domain Controller | Device | High | Domain controller server is responsible for user authentication, authorization, and centralized management of network resources within an active directory domain. |
38
+
| Domain Controller | Device |Very High | Domain controller server is responsible for user authentication, authorization, and centralized management of network resources within an active directory domain. |
39
39
| DNS | Device | Low | The DNS server is essential for resolving domain names to IP addresses, enabling network communication and access to resources both internally and externally. |
40
40
| Exchange | Device | Medium | Exchange server is responsible for all the mail traffic within the organization. Depending on the setup and architecture, each server might hold several mail databases that store highly sensitive organizational information. |
41
41
| IT Admin Device | Device | Medium | Critical devices used to configure, manage, and monitor the assets within the organization are vital for IT administration and are at high risk of cyber threats. They require top-level security to prevent unauthorized access. _Note: We apply a logic to identify devices belonging to an admin based on multiple factors, including the frequent usage of administrative tools._|
| Identity with Privileged Azure Role | Identity | High | The following identities (User, Group, Service Principal, or Managed Identity) have an assigned built-in or custom privileged Azure RBAC role, at subscription scope, containing a critical resource. The role can include permissions for Azure role assignments, modifying Azure policies, executing scripts on a VM using Run command, read-access to storage accounts and keyvaults, and more. |
51
+
| Identity with Privileged Role | Identity | High | The following identities (User, Group, Service Principal, or Managed Identity) have an assigned built-in or custom privileged Azure RBAC role, at subscription scope, containing a critical resource. The role can include permissions for Azure role assignments, modifying Azure policies, executing scripts on a VM using Run command, read-access to storage accounts and keyvaults, and more. |
52
52
| Application Administrator | Identity | Very High | Identities in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. |
53
53
| Application Developer | Identity | High | Identities in this role can create application registrations independent of the 'Users can register applications' setting. |
54
54
| Authentication Administrator | Identity | Very High | Identities in this role can set and reset authentication method (including passwords) for non-admin users. |
@@ -109,4 +109,4 @@ Current asset types are:
109
109
| Immutable Azure Storage | Cloud resource | Medium | This rule applies to Azure storage accounts that have immutability support enabled. Immutability stores business data in a write once read many (WORM) state, and usually indicates that the storage account holds critical or sensitive data that must be protected from modification. |
110
110
| Immutable and Locked Azure Storage | Cloud resource | High | This rule applies to Azure storage accounts that have immutability support enabled with a locked policy. Immutability stores business data in a write once read many (WORM). Data protection is increased with a locked policy to ensure that data can’t be deleted or its retention time shortened. These settings usually indicate that the storage account holds critical or sensitive data that must be protected from modification or deletion. Data might also need to align with compliance policies for data protection. |
111
111
| Azure Virtual Machine with a Critical User Signed In | Cloud resource | High | This rule applies to virtual machines protected by Defender for Endpoint, where a user with a high or very high criticality level is signed in. The signed-in user can be through a joined or registered device, an active browser session, or other means. |
112
-
|Azure Key Vaults with Many Connected Identities | Cloud resource | High | This rule identifies Key Vaults that can be accessed by a large number of identities, compared to other Key Vaults. This often indicates that the Key Vault is used by critical workloads, such as production services. |
112
+
| Key Vaults with Many Connected Identities | Cloud resource | High | This rule identifies Key Vaults that can be accessed by a large number of identities, compared to other Key Vaults. This often indicates that the Key Vault is used by critical workloads, such as production services. |
0 commit comments