This page lists every security check included in GrantFlow Sentinel, organized by domain. Each check has a stable ID you can reference in overrides files, SIEM queries, and compliance reports.
Severity key: Critical High Medium Low Info
Entra ID checks (cloud mode)
Authentication & MFA
| ID | Title | Severity |
|---|---|---|
| SENT-AUTH-001 | Number matching is enabled for Microsoft Authenticator | High |
| SENT-AUTH-002 | Report suspicious activity is enabled | Medium |
| SENT-AUTH-003 | FIDO2 security keys are enabled as an authentication method | Medium |
| SENT-AUTH-004 | Insecure authentication methods (SMS, Voice, Email OTP) are disabled | High |
Why it matters: MFA fatigue attacks exploit push notifications without number matching. SMS and voice OTP are vulnerable to SIM-swapping. FIDO2 is phishing-resistant and the highest-assurance option outside of certificate-based auth.
Conditional Access
| ID | Title | Severity |
|---|---|---|
| SENT-CA-001 | MFA is required for all users via Conditional Access | Critical |
| SENT-CA-002 | Legacy authentication is blocked | High |
| SENT-CA-003 | Phishing-resistant MFA is required for administrators | Critical |
| SENT-CA-004 | Emergency access (break-glass) accounts are not blocked by CA policies | High |
| SENT-CA-005 | Security groups used in CA policies are protected (Role-Assignable or RMAU) | High |
| SENT-CA-006 | Device code flow is blocked via Conditional Access | High |
| SENT-CA-007 | Risk-based Conditional Access policies are configured | High |
| SENT-CA-008 | Sign-in frequency is configured for admin sessions | Medium |
| SENT-CA-009 | No CA policies stuck in Report-Only mode | Medium |
| SENT-CA-010 | Compliant or Entra-joined device required for admin access | Medium |
| SENT-CA-011 | MFA is required for guest and external users | Medium |
| SENT-CA-012 | No CA policies with excessive user exclusions (> 10) | Low |
| SENT-CA-013 | No excessive disabled CA policies | Low |
Why it matters: Conditional Access is your primary enforcement layer for identity-based controls. A gap in any of these policies creates a bypass path. Legacy authentication entirely sidesteps CA and MFA — it must be blocked before any other CA work is meaningful.
Break-glass accounts
SENT-CA-004 checks that your break-glass accounts are excluded from all CA policies. If they are blocked, you lose access to your tenant during an incident. Maintain two break-glass accounts with permanent Global Admin access and ensure they are excluded by account (not by group).
Privileged Access
| ID | Title | Severity |
|---|---|---|
| SENT-PRIV-001 | No permanent active assignments to Tier 0 roles (except break-glass) | Critical |
| SENT-PRIV-002 | Limited number of Global Administrators (≤ 5 active + eligible) | High |
| SENT-PRIV-003 | No more than 1 permanent Global Administrator (break-glass only) | Critical |
| SENT-PRIV-004 | No stale privileged accounts (inactive > 90 days) | High |
| SENT-PRIV-005 | No more than 3 active (non-eligible) Global Administrators | High |
Why it matters: Permanent privileged assignments mean a compromised account immediately has full tenant control. Just-in-time access (via GrantFlow or Entra PIM) ensures elevated permissions exist only when actively needed and expire automatically.
GrantFlow resolves PRIV findings
SENT-PRIV-001 and SENT-PRIV-003 are in the GrantFlow recommendation lane. Deploying GrantFlow converts all permanent Tier 0 and Tier 1 assignments to JIT-eligible, removing the standing access that these checks flag.
Tenant Hardening
| ID | Title | Severity |
|---|---|---|
| SENT-TEN-001 | User consent to applications is disabled | High |
| SENT-TEN-002 | Admin consent workflow is enabled | Medium |
| SENT-TEN-003 | Guest user access is restricted | Medium |
| SENT-TEN-004 | Legacy MSOL PowerShell access is blocked | Medium |
| SENT-TEN-005 | Self-service group creation is restricted | Low |
| SENT-TEN-006 | Security defaults are disabled (Conditional Access is used instead) | Info |
| SENT-TEN-007 | Users are restricted from registering applications | Medium |
| SENT-TEN-008 | Guest invitation settings are restricted | Medium |
| SENT-TEN-009 | Users cannot create app registrations | Medium |
| SENT-TEN-010 | Users cannot create security groups | Low |
Why it matters: Consent phishing is one of the most effective attack vectors against modern tenants. When users can grant apps access to organizational data, a single click on a malicious link can compromise your environment. SENT-TEN-001 and SENT-TEN-002 together close this attack surface while giving users a legitimate request path.
Workload Identity
| ID | Title | Severity |
|---|---|---|
| SENT-WID-001 | No service principals with high-privilege Graph permissions and client secrets | Critical |
| SENT-WID-002 | No applications with expired credentials | Medium |
| SENT-WID-003 | No service principals with broad 'ReadWrite.All' application permissions | High |
| SENT-WID-004 | No multi-tenant app registrations with high-privilege permissions | High |
| SENT-WID-005 | No applications with expired credentials still present | High |
| SENT-WID-006 | No applications with long-lived secrets (> 2 years) | Medium |
Why it matters: Service principals with Directory.ReadWrite.All or similar permissions, backed by a long-lived client secret, are a high-value target. A leaked secret gives an attacker persistent, non-interactive access equivalent to a Global Administrator — with no MFA requirement and no session expiry.
High-Value Targets
| ID | Title | Severity |
|---|---|---|
| SENT-HVT-001 | No non-admin users own applications with high-privilege permissions | Critical |
| SENT-HVT-002 | Executive and C-Level users are identified as high-value targets | Medium |
| SENT-HVT-003 | No non-admin users have direct assignments to high-privilege service principals | High |
| SENT-HVT-004 | No orphaned app registrations (apps without owners) | Medium |
| SENT-HVT-005 | No disabled users retain privileged role assignments | Critical |
Why it matters: SENT-HVT-001 detects "shadow admins" — users who own app registrations with Directory.ReadWrite.All or similar permissions. These users effectively have admin-level access without holding a directory role, making them invisible to standard role-based reviews. Compromising a shadow admin is often trivially easy if they have weak MFA.
Monitoring & Detection
| ID | Title | Severity |
|---|---|---|
| SENT-MON-001 | Entra ID recommendations are reviewed (none in critical state) | Medium |
| SENT-MON-002 | No stale guest accounts (inactive > 90 days) | Low |
| SENT-MON-003 | No disabled accounts with active role assignments | Medium |
| SENT-MON-004 | No high-risk users remain unreviewed | High |
| SENT-MON-005 | High-priority Entra recommendations are addressed | Medium |
Active Directory checks (ad mode)
AD Privileged Access
| ID | Title | Severity |
|---|---|---|
| SENT-ADPRIV-001 | Domain Admins group has limited membership | Critical |
| SENT-ADPRIV-002 | Enterprise Admins group is empty or minimal | Critical |
| SENT-ADPRIV-003 | No accounts configured for unconstrained delegation | Critical |
| SENT-ADPRIV-004 | No non-default accounts have DCSync replication rights | Critical |
| SENT-ADPRIV-005 | No privileged accounts are Kerberoastable | High |
| SENT-ADPRIV-006 | No accounts have Kerberos pre-authentication disabled | High |
Why it matters: Domain Admins and Enterprise Admins are Tier 0 in on-premises environments — full domain and forest compromise starts here. Unconstrained delegation and DCSync rights are among the most commonly abused paths for domain takeover (Mimikatz, Impacket, BloodHound attack chains).
AD Protocol Security
| ID | Title | Severity |
|---|---|---|
| SENT-ADPROT-001 | LDAP signing is required on Domain Controllers | High |
| SENT-ADPROT-002 | SMB signing is required | High |
| SENT-ADPROT-003 | LLMNR is disabled across the domain | High |
| SENT-ADPROT-004 | NetBIOS over TCP/IP is disabled | Medium |
| SENT-ADPROT-005 | NTLM authentication is restricted or audited | Medium |
Why it matters: LLMNR and NetBIOS poisoning (Responder) are among the most common internal network attack techniques. SMB relay attacks against systems without signing can yield immediate privilege escalation. These checks are all low-cost, high-impact hardening steps.
AD Hygiene
| ID | Title | Severity |
|---|---|---|
| SENT-ADHYG-001 | Domain password policy meets minimum security standards | High |
| SENT-ADHYG-002 | No stale computer accounts (inactive > 90 days) | Medium |
| SENT-ADHYG-003 | No stale user accounts (inactive > 90 days) | Medium |
| SENT-ADHYG-004 | No disabled accounts retain privileged group memberships | High |
| SENT-ADHYG-005 | LAPS is deployed for local administrator password management | High |
| SENT-ADHYG-100 | AI-powered comprehensive AD hygiene security analysis | Info |
AI-assisted check (SENT-ADHYG-100)
SENT-ADHYG-100 uses AI to perform a comprehensive security analysis of AD hygiene — correlating stale accounts, password policy gaps, LAPS coverage, disabled-account risks, and service account exposure into actionable attack narratives. Requires AI configured in sentinel.yaml or environment variables.
AD Credential Exposure
| ID | Title | Severity |
|---|---|---|
| SENT-ADCRED-001 | No Group Policy Preferences passwords found in SYSVOL | Critical |
| SENT-ADCRED-002 | Service accounts use Group Managed Service Accounts (gMSA) | Medium |
| SENT-ADCRED-003 | No credentials stored in user description fields | High |
| SENT-ADCRED-004 | AI scan: no credentials hidden in user description fields | High |
AI-assisted check (SENT-ADCRED-004)
SENT-ADCRED-004 uses AI to analyze user description fields for obfuscated credentials, encoded passwords, and other credential-like patterns that regular expression matching misses. This check requires an AI endpoint configured in sentinel.yaml or via environment variables. Without it, the check is skipped.
Why it matters: GPP passwords in SYSVOL (SENT-ADCRED-001) are pre-encrypted with a key Microsoft published in 2012 — any domain user can decrypt them. This is a trivially exploitable, automated attack. If your environment was built before 2014, run this check immediately.
AD Certificate Services
| ID | Title | Severity |
|---|---|---|
| SENT-ADCS-001 | No certificate templates vulnerable to ESC1 (enrollee-supplied subject + client auth) | Critical |
| SENT-ADCS-002 | No certificate templates vulnerable to ESC2 (any purpose / no EKU with broad enrollment) | High |
| SENT-ADCS-003 | No certificate templates vulnerable to ESC3 (unrestricted Certificate Request Agent) | High |
| SENT-ADCS-004 | No certificate templates have vulnerable ACLs (non-admin can modify) | High |
| SENT-ADCS-005 | No CAs have EDITF_ATTRIBUTESUBJECTALTNAME2 enabled (ESC6) | Critical |
| SENT-ADCS-006 | No HTTP-only certificate enrollment endpoints (ESC8 — NTLM relay) | High |
| SENT-ADCS-007 | CA web enrollment is disabled or properly secured | Medium |
| SENT-ADCS-100 | AI-powered comprehensive ADCS security analysis | Info |
AI-assisted check (SENT-ADCS-100)
SENT-ADCS-100 uses AI to perform a comprehensive security analysis of the entire ADCS environment — identifying attack chains across CAs and templates, risk correlations, and prioritized remediation steps. Requires AI configured in sentinel.yaml or environment variables.
Why it matters: Active Directory Certificate Services (ADCS) misconfigurations are among the most impactful attack vectors in on-premises environments. ESC1 alone lets any domain user request a certificate as Domain Admin. These checks cover ESC1–ESC4, ESC6, and ESC8 — the most commonly exploited ADCS attack paths documented by SpecterOps. Coverage for ESC5 and ESC7 is planned for a future release.
Cross-platform ADCS scanning
ADCS checks use native LDAP collection, which works on macOS and Linux — no Windows or PowerShell required. Configure ldap_server, ldap_tls, ldap_bind_dn, and ldap_bind_pass in sentinel.yaml to connect to your Domain Controller. See Configuration for details.
Linux checks (linux mode)
Linux Access Control
| ID | Title | Severity |
|---|---|---|
| SENT-LNXACC-001 | SSH root login is disabled | Critical |
| SENT-LNXACC-002 | SSH password authentication is disabled (key-only) | High |
| SENT-LNXACC-003 | No user accounts have empty passwords | Critical |
| SENT-LNXACC-004 | Only root has UID 0 | Critical |
| SENT-LNXACC-005 | No broad NOPASSWD sudo rules configured | High |
| SENT-LNXACC-006 | No unusual SUID/SGID binaries detected | High |
Linux Network Security
| ID | Title | Severity |
|---|---|---|
| SENT-LNXNET-001 | Host firewall is enabled and active | High |
| SENT-LNXNET-002 | Services bind to specific interfaces, not 0.0.0.0 | Medium |
Linux System Hardening
| ID | Title | Severity |
|---|---|---|
| SENT-LNXHRD-001 | Kernel ASLR (Address Space Layout Randomization) is fully enabled | Medium |
| SENT-LNXHRD-002 | Ptrace scope is restricted | Medium |
| SENT-LNXHRD-003 | Core dumps are disabled | Low |
| SENT-LNXHRD-004 | Linux audit daemon (auditd) is running | High |
| SENT-LNXHRD-005 | Unattended security updates are enabled | Medium |
| SENT-LNXHRD-006 | Sensitive files have correct permissions | High |
| SENT-LNXHRD-007 | IP forwarding is disabled (unless required) | Low |
Check count by mode
| Scan mode | Checks |
|---|---|
| Cloud (Entra ID) | 48 |
| AD (on-premises Active Directory) | 29 |
| Linux | 15 |
| Total | 92 |