diff --git a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml index 37b02a060..0a45c29bc 100644 --- a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml +++ b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml @@ -8,7 +8,7 @@ Query: ListOfTables: - aws_identitystore_user - aws_ssoadmin_account_assignment - - azuread_user_registration_details + - entraid_user_registration_details Parameters: [] PrimaryTable: aws_identitystore_user QueryToExecute: | @@ -27,7 +27,7 @@ Query: FROM (aws_identitystore_user CROSS JOIN jsonb_array_elements(external_ids) AS external_id) iden - INNER JOIN azuread_user_registration_details az + INNER JOIN entraid_user_registration_details az ON az.id = value ->> 'Id' WHERE EXISTS ( diff --git a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml index 5fc2607c4..2ce100862 100644 --- a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml +++ b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | SELECT u.display_name AS resource, @@ -25,7 +25,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_tenant AS t ON t.tenant_id = u.tenant_id WHERE diff --git a/compliance/controls/azure/azure_cis_v130_1_3.yaml b/compliance/controls/azure/azure_cis_v130_1_3.yaml index 719b9648c..45e250d20 100644 --- a/compliance/controls/azure/azure_cis_v130_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_3.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id WHERE u.user_type = 'Guest'; diff --git a/compliance/controls/azure/azure_cis_v140_1_3.yaml b/compliance/controls/azure/azure_cis_v140_1_3.yaml index 6f558780b..164bf7d83 100644 --- a/compliance/controls/azure/azure_cis_v140_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_3.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH distinct_tenant AS ( SELECT DISTINCT @@ -33,7 +33,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id WHERE u.user_type = 'Guest'; diff --git a/compliance/controls/azure/azure_cis_v150_1_14.yaml b/compliance/controls/azure/azure_cis_v150_1_14.yaml index 58d85534c..7bd40ee66 100644 --- a/compliance/controls/azure/azure_cis_v150_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_14.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.14 Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v150_1_19.yaml b/compliance/controls/azure/azure_cis_v150_1_19.yaml index 899ec4279..4fe083071 100644 --- a/compliance/controls/azure/azure_cis_v150_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_19.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml index 6a7579ce3..e12f12ffb 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_conditional_access_policy + - entraid_conditional_access_policy Parameters: [] - PrimaryTable: azuread_conditional_access_policy + PrimaryTable: entraid_conditional_access_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_conditional_access_policy AS p; + entraid_conditional_access_policy AS p; Severity: low Tags: {} Title: 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v150_1_4.yaml b/compliance/controls/azure/azure_cis_v150_1_4.yaml index 945686e14..9816a2597 100644 --- a/compliance/controls/azure/azure_cis_v150_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_4.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azuread_user + - entraid_user - azure_tenant Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id WHERE diff --git a/compliance/controls/azure/azure_cis_v200_1_14.yaml b/compliance/controls/azure/azure_cis_v200_1_14.yaml index d3037d202..f0064e4a0 100644 --- a/compliance/controls/azure/azure_cis_v200_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_14.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v200_1_19.yaml b/compliance/controls/azure/azure_cis_v200_1_19.yaml index 26edb6ffd..04eba67d2 100644 --- a/compliance/controls/azure/azure_cis_v200_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_19.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT DISTINCT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml index d115a5c08..37fc09a2e 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_conditional_access_policy + - entraid_conditional_access_policy Parameters: [] - PrimaryTable: azuread_conditional_access_policy + PrimaryTable: entraid_conditional_access_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_conditional_access_policy AS p; + entraid_conditional_access_policy AS p; Severity: low Tags: {} Title: 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v200_1_5.yaml b/compliance/controls/azure/azure_cis_v200_1_5.yaml index f337fc48a..c7b1c354c 100644 --- a/compliance/controls/azure/azure_cis_v200_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_5.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id WHERE u.user_type = 'Guest'; diff --git a/compliance/controls/azure/azure_cis_v210_1_13.yaml b/compliance/controls/azure/azure_cis_v210_1_13.yaml index d42b174e3..99e6ab926 100644 --- a/compliance/controls/azure/azure_cis_v210_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_13.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT DISTINCT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.13 Ensure That 'Users Can Register Applications' Is Set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v210_1_18.yaml b/compliance/controls/azure/azure_cis_v210_1_18.yaml index 757502f69..8ed6022e8 100644 --- a/compliance/controls/azure/azure_cis_v210_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_18.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: 1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v210_1_25.yaml b/compliance/controls/azure/azure_cis_v210_1_25.yaml index 8706c2a34..9907cac8f 100644 --- a/compliance/controls/azure/azure_cis_v210_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_25.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_directory_role + - entraid_directory_role Parameters: [] - PrimaryTable: azuread_directory_role + PrimaryTable: entraid_directory_role QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_directory_role + entraid_directory_role WHERE display_name = 'Global Administrator' Severity: low diff --git a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml index 500672b3a..e94c2a5d2 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_conditional_access_policy + - entraid_conditional_access_policy Parameters: [] - PrimaryTable: azuread_conditional_access_policy + PrimaryTable: entraid_conditional_access_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_conditional_access_policy AS p; + entraid_conditional_access_policy AS p; Severity: low Tags: {} Title: 1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml index 7e3230b29..ef378c6d4 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml @@ -5,19 +5,19 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azuread_user + - entraid_user - azure_role_assignment - azure_role_definition - - azuread_conditional_access_policy + - entraid_conditional_access_policy Parameters: [] - PrimaryTable: azuread_conditional_access_policy + PrimaryTable: entraid_conditional_access_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT u.id, tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE @@ -39,7 +39,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_conditional_access_policy AS p; + entraid_conditional_access_policy AS p; Severity: low Tags: {} Title: 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v210_1_4.yaml b/compliance/controls/azure/azure_cis_v210_1_4.yaml index d30f2fdde..8fba75ac5 100644 --- a/compliance/controls/azure/azure_cis_v210_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_4.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: END AS reason, t.tenant_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id WHERE u.user_type = 'Guest'; diff --git a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml index 394ddaac4..bccaaebcb 100644 --- a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_conditional_access_policy + - entraid_conditional_access_policy Parameters: [] - PrimaryTable: azuread_conditional_access_policy + PrimaryTable: entraid_conditional_access_policy QueryToExecute: | SELECT p.id AS resource, @@ -25,7 +25,7 @@ Query: t.tenant_id FROM azure_tenant AS t, - azuread_conditional_access_policy AS p; + entraid_conditional_access_policy AS p; Severity: medium Tags: category: diff --git a/compliance/controls/azure/azure_iam_deprecated_account.yaml b/compliance/controls/azure/azure_iam_deprecated_account.yaml index 193554b7a..0f133a4ec 100644 --- a/compliance/controls/azure/azure_iam_deprecated_account.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account.yaml @@ -8,9 +8,9 @@ Query: - azure_role_assignment - azure_role_definition - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH disabled_users AS ( SELECT @@ -21,7 +21,7 @@ Query: u.id, d.subscription_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE @@ -42,7 +42,7 @@ Query: t.tenant_id FROM azure_tenant AS t, - azuread_user AS u + entraid_user AS u LEFT JOIN disabled_users AS d ON d.id = u.id; Severity: high Tags: diff --git a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml index 93e48af9c..af6453ca7 100644 --- a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml @@ -8,9 +8,9 @@ Query: - azure_role_assignment - azure_role_definition - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | SELECT DISTINCT u.user_principal_name AS resource, @@ -27,7 +27,7 @@ Query: t.tenant_id FROM azure_tenant AS t, - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE diff --git a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml index 4b20ce901..3ed8391e3 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml @@ -8,9 +8,9 @@ Query: - azure_role_assignment - azure_role_definition - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH all_owner_users AS ( SELECT DISTINCT @@ -22,7 +22,7 @@ Query: u.og_account_id AS og_account_id, u.og_resource_id AS og_resource_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE diff --git a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml index 0dbbdd102..8bdb72009 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml @@ -8,9 +8,9 @@ Query: - azure_role_assignment - azure_role_definition - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH all_write_permission_users AS ( SELECT DISTINCT @@ -22,7 +22,7 @@ Query: u.og_account_id AS og_account_id, u.og_resource_id AS og_resource_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE d.role_name = 'Reader' diff --git a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml index 844629d75..473080281 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml @@ -8,9 +8,9 @@ Query: - azure_role_assignment - azure_role_definition - azure_tenant - - azuread_user + - entraid_user Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH all_write_permission_users AS ( SELECT @@ -23,7 +23,7 @@ Query: u.og_account_id AS og_account_id, u.og_resource_id AS og_resource_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE diff --git a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml index f773eb054..87eaf5188 100644 --- a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml +++ b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml @@ -5,12 +5,12 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azuread_user + - entraid_user - azure_role_assignment - azure_role_definition - azure_tenant Parameters: [] - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH all_contributor_permission_users AS ( SELECT @@ -21,7 +21,7 @@ Query: u.user_principal_name, d.subscription_id FROM - azuread_user AS u + entraid_user AS u LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id WHERE @@ -49,7 +49,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_user AS u + entraid_user AS u LEFT JOIN all_contributor_permission_users AS c ON c.user_principal_name = u.user_principal_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml index 13bfdc44b..ae8084396 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | SELECT a.id AS resource, @@ -25,7 +25,7 @@ Query: t.tenant_id FROM azure_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: high Tags: category: diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml index e6db54fa7..90d6f4b97 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | WITH distinct_tenant AS ( SELECT @@ -33,7 +33,7 @@ Query: t.tenant_id FROM distinct_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: low Tags: {} Title: Ensure that 'Users Can Create Tenants' is set to 'No' \ No newline at end of file diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml index 1544334d2..c494f112f 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml @@ -6,9 +6,9 @@ Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_tenant - - azuread_authorization_policy + - entraid_authorization_policy Parameters: [] - PrimaryTable: azuread_authorization_policy + PrimaryTable: entraid_authorization_policy QueryToExecute: | SELECT a.id AS resource, @@ -26,7 +26,7 @@ Query: t.tenant_id FROM azure_tenant AS t, - azuread_authorization_policy AS a; + entraid_authorization_policy AS a; Severity: medium Tags: category: diff --git a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml index 39ebeaf69..da67cacdd 100644 --- a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml +++ b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml @@ -1,18 +1,18 @@ Description: SPNs in AzureAD should not have more than one active Client Secret created X days ago -ID: azuread_spn_with_active_client_secret_created_x_days_ago +ID: entraid_spn_with_active_client_secret_created_x_days_ago IntegrationType: - azure_subscription Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azuread_service_principal - - azuread_spn + - entraid_service_principal + - entraid_spn Parameters: - - Key: azureadClientSecretExpireDays + - Key: entraidClientSecretExpireDays Required: true - PrimaryTable: azuread_service_principal + PrimaryTable: entraid_service_principal QueryToExecute: | - WITH azuread_spn AS ( + WITH entraid_spn AS ( SELECT id, display_name, @@ -23,16 +23,16 @@ Query: SELECT COUNT(*) FROM jsonb_array_elements(password_credentials) AS pc WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND - NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.azureadClientSecretExpireDays}} days'::interval + NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval ) AS active_client_secret_count, ( SELECT STRING_AGG(pc ->> 'DisplayName', ', ') FROM jsonb_array_elements(password_credentials) AS pc WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND - NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.azureadClientSecretExpireDays}} days'::interval + NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval ) AS Ids FROM - azuread_service_principal + entraid_service_principal ) SELECT id AS resource, @@ -41,14 +41,14 @@ Query: ELSE 'ok' END AS status, CASE - WHEN active_client_secret_count > 0 THEN display_name || ' has ' || active_client_secret_count || ' active client secrets created {{.azureadClientSecretExpireDays}} days ago: [' || Ids || ']' - ELSE display_name || ' has no active client secrets created {{.azureadClientSecretExpireDays}} days ago' + WHEN active_client_secret_count > 0 THEN display_name || ' has ' || active_client_secret_count || ' active client secrets created {{.entraidClientSecretExpireDays}} days ago: [' || Ids || ']' + ELSE display_name || ' has no active client secrets created {{.entraidClientSecretExpireDays}} days ago' END AS reason, og_account_id, og_resource_id, subscription_id FROM - azuread_spn + entraid_spn Severity: high Tags: score_service_name: diff --git a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml index c86fc0061..56035dd2b 100644 --- a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml +++ b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml @@ -1,17 +1,17 @@ Description: AzureAD Users should have MFA Enabled with Azure subscription role assignment -ID: azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment +ID: entraid_user_should_have_mfa_enabled_with_azure_subscription_role_assignment IntegrationType: - azure_subscription Query: Engine: CloudQL-v0.0.1 ListOfTables: - azure_user_effective_access - - azuread_user - - azuread_user_registration_details + - entraid_user + - entraid_user_registration_details Parameters: - - Key: azureadAccountStatusInclude + - Key: entraidAccountStatusInclude Required: false - PrimaryTable: azuread_user + PrimaryTable: entraid_user QueryToExecute: | WITH users_with_roles AS ( SELECT DISTINCT @@ -22,7 +22,7 @@ Query: u.subscription_id AS subscription_id, u.account_enabled AS account_enabled, u.tenant_id AS tenant_id - FROM azuread_user AS u + FROM entraid_user AS u JOIN azure_user_effective_access AS ea ON u.id = ea.principal_id ) SELECT @@ -30,19 +30,19 @@ Query: u.og_account_id AS og_account_id, u.og_resource_id AS og_resource_id, CASE - WHEN COALESCE(NULLIF('{{.azureadAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'skip' + WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'skip' WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN 'alarm' ELSE 'ok' END AS status, CASE - WHEN COALESCE(NULLIF('{{.azureadAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'User is not included' + WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'User is not included' WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN u.display_name || ' does not have MFA enabled' ELSE u.display_name || ' has MFA' END AS reason, u.tenant_id FROM users_with_roles AS u - LEFT JOIN azuread_user_registration_details AS rd ON u.id = rd.id + LEFT JOIN entraid_user_registration_details AS rd ON u.id = rd.id WHERE EXISTS (SELECT 1 FROM azure_user_effective_access AS ea WHERE u.id = ea.principal_id) Severity: high Tags: diff --git a/compliance/frameworks/baseline/security/azure_baseline_security_iam.yaml b/compliance/frameworks/baseline/security/azure_baseline_security_iam.yaml index 7501c4a22..778e678ba 100755 --- a/compliance/frameworks/baseline/security/azure_baseline_security_iam.yaml +++ b/compliance/frameworks/baseline/security/azure_baseline_security_iam.yaml @@ -4,8 +4,8 @@ Description: Controls related to Identity and Access Management to ensure secure SectionCode: iam_security Children: [] Controls: - - azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment - - azuread_spn_with_active_client_secret_created_x_days_ago + - entraid_user_should_have_mfa_enabled_with_azure_subscription_role_assignment + - entraid_spn_with_active_client_secret_created_x_days_ago - azure_enable_kubernetes_role_based_access_control - azure_use_system_assigned_managed_identities_for_aks_clusters - azure_use_user_assigned_managed_identities_for_aks_clusters