monkey365

0.95.1

rules/findings/EntraID/Reports/CIS3.1/eid-sspr-password-reset-activity-report-is-reviewed.json

{
  "args": [
     
  ],
  "provider": "EntraID",
  "serviceType": "Identity Protection",
  "serviceName": "Microsoft Entra ID",
  "displayName": "Ensure the self-service password reset activity report is reviewed at least weekly",
  "description": "The Microsoft 365 platform allows users to reset their password in the event they forget it. The self-service password reset activity report logs each time a user successfully resets their password this way. The self-service password reset activity report should be reviewed at least weekly.",
  "rationale": "An attacker will commonly compromise an account, then change the password to something they control and can manage.",
  "impact": null,
  "remediation": {
    "text": "
            ###### To review the self-service password reset activity report:
            1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
            2. Click to expand Protection > Password reset select Audit logs.
            3. Review the list of users who have reset their passwords by setting the Date to Last 7 days and Service to Self-service Password Management
    ",
    "code": {
      "powerShell": null,
      "iac": null,
      "terraform": null,
      "other": null
    }
  },
  "recommendation": null,
  "references": [
    "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-reporting",
    "https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr"
  ],
  "compliance": [
    {
      "name": "CIS Microsoft 365 Foundations Benchmark",
      "version": "3.1.0",
      "reference": "5.2.4.2",
      "profile": "E3 Level 1"
    }
  ],
  "level": "info",
  "tags": [
  ],
  "rule": {
    "path": "",
    "subPath": null,
    "selectCondition": {
       
    },
    "query": [
    ],
    "shouldExist": null,
    "returnObject": null,
    "removeIfNotExists": null
  },
  "output": {
    "html": {
      "data": {
        "properties": {
           
        },
        "expandObject": null
      },
      "table": null,
      "decorate": [
         
      ],
      "emphasis": [
         
      ],
      "actions": {
        "objectData": {
          "properties": [
            "*"
          ],
          "expandObject": null,
          "limit": null
        },
        "isManual":false,
        "showGoToButton": false,
        "showModalButton": false,
        "directLink": null
      }
    },
    "text": {
      "data": {
        "properties": {
           
        },
        "expandObject": null
      },
      "status": {
        "keyName": [
           
        ],
        "message": "Ensure the self-service password reset activity report is reviewed at least weekly",
        "defaultMessage": null
      },
      "properties": {
        "resourceName": null,
        "resourceId": null,
        "resourceType": null
      },
      "onlyStatus": false
    }
  },
  "idSuffix": "eid_sspr_password_reset_activity_report_is_reviewed",
  "notes": [
     
  ],
  "categories": [
     
  ]
}