Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

CustomTables_Feed 

SecurityIncident
InformationProtectionLogs_CL
SecurityRecommendation
CMMCPolicyMapping
This commit is contained in:
TJ Banasik 2021-09-20 15:38:11 -04:00
Родитель 65b413a737
Коммит 9ef52a896c
4 изменённых файлов: 572 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

122
.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,122 @@
{
"Name": "InformationProtectionLogs_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "TimeGenerated [UTC]",
"Type": "datetime"
},
{
"Name": "TimeGenerated_s",
"Type": "datetime"
},
{
"Name": "AadTenantId_g_g",
"Type": "string"
},
{
"Name": "UserId_s_s",
"Type": "string"
},
{
"Name": "Version_s_s",
"Type": "string"
},
{
"Name": "Workload_s_s",
"Type": "string"
},
{
"Name": "ProcessName_s_s",
"Type": "string"
},
{
"Name": "ApplicationName_s_s",
"Type": "string"
},
{
"Name": "Operation_s_s",
"Type": "string"
},
{
"Name": "Platform_s_s",
"Type": "string"
},
{
"Name": "LogId_g_g",
"Type": "string"
},
{
"Name": "IPv4_s_s",
"Type": "string"
},
{
"Name": "DeviceId_g",
"Type": "string"
},
{
"Name": "AadTenantId_g",
"Type": "string"
},
{
"Name": "UserId_s",
"Type": "string"
},
{
"Name": "MachineName_s",
"Type": "string"
},
{
"Name": "Version_s",
"Type": "string"
},
{
"Name": "Workload_s",
"Type": "string"
},
{
"Name": "ProcessName_s",
"Type": "string"
},
{
"Name": "ApplicationName_s",
"Type": "string"
},
{
"Name": "Operation_s",
"Type": "string"
},
{
"Name": "Platform_s",
"Type": "string"
},
{
"Name": "ApplicationId_g",
"Type": "string"
},
{
"Name": "ProductVersion_s",
"Type": "string"
},
{
"Name": "LogId_g",
"Type": "string"
},
{
"Name": "IPv4_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
}
]
}

126
.script/tests/KqlvalidationsTests/CustomTables/SecurityIncident.json Normal file
Просмотреть файл

@ -0,0 +1,126 @@
{
"Name": "SecurityIncident",
"Properties": [
{
"Name": "AdditionalData",
"Type": "dynamic"
},
{
"Name": "AlertIds",
"Type": "dynamic"
},
{
"Name": "BookmarkIds",
"Type": "dynamic"
},
{
"Name": "Classification",
"Type": "string"
},
{
"Name": "ClassificationComment",
"Type": "string"
},
{
"Name": "ClassificationReason",
"Type": "string"
},
{
"Name": "ClosedTime",
"Type": "datetime"
},
{
"Name": "Comments",
"Type": "dynamic"
},
{
"Name": "CreatedTime",
"Type": "datetime"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "FirstActivityTime",
"Type": "datetime"
},
{
"Name": "FirstModifiedTime",
"Type": "datetime"
},
{
"Name": "IncidentName",
"Type": "string"
},
{
"Name": "IncidentNumber",
"Type": "int"
},
{
"Name": "IncidentUrl",
"Type": "string"
},
{
"Name": "Labels",
"Type": "dynamic"
},
{
"Name": "LastActivityTime",
"Type": "datetime"
},
{
"Name": "LastModifiedTime",
"Type": "datetime"
},
{
"Name": "ModifiedBy",
"Type": "string"
},
{
"Name": "Owner",
"Type": "dynamic"
},
{
"Name": "ProviderIncidentId",
"Type": "string"
},
{
"Name": "ProviderName",
"Type": "string"
},
{
"Name": "RelatedAnalyticRuleIds",
"Type": "dynamic"
},
{
"Name": "Severity",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "Status",
"Type": "string"
},
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Title",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
}
]
}

82
.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json Normal file
Просмотреть файл

@ -0,0 +1,82 @@
{
"Name": "SecurityRecommendation",
"Properties": [
{
"Name": "AssessedResourceId",
"Type": "string"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "DeviceId",
"Type": "string"
},
{
"Name": "DiscoveredTimeUTC",
"Type": "datetime"
},
{
"Name": "FirstEvaluationDate",
"Type": "datetime"
},
{
"Name": "IsSnapshot",
"Type": "bool"
},
{
"Name": "PolicyDefinitionId",
"Type": "string"
},
{
"Name": "ProviderName",
"Type": "string"
},
{
"Name": "RecommendationAdditionalData",
"Type": "dynamic"
},
{
"Name": "RecommendationDisplayName",
"Type": "string"
},
{
"Name": "RecommendationId",
"Type": "string"
},
{
"Name": "RecommendationName",
"Type": "string"
},
{
"Name": "RecommendationSeverity",
"Type": "string"
},
{
"Name": "RecommendationState",
"Type": "string"
},
{
"Name": "ResolvedTimeUTC",
"Type": "datetime"
},
{
"Name": "ResourceRegion",
"Type": "string"
},
{
"Name": "StatusChangeDate",
"Type": "datetime"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
}
]
}

242
Sample Data/Feeds/CMMCPolicyMapping.csv Normal file
Просмотреть файл

@ -0,0 +1,242 @@
RecommendationName,ControlFamily,ControlNumber,MaturityLevel,800171Map,80053Map
Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17"
Storage account public access should be disallowed,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17"
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17"
Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17"
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17"
Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17"
Storage account public access should be disallowed,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17"
Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17"
Firewall should be enabled on Key Vault,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17"
Audit Linux machines that allow remote connections from accounts without passwords,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17"
RDP access from the Internet should be blocked,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)"
Adaptive network hardening recommendations should be applied on internet facing virtual machines,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)"
Virtual networks should be protected by Azure Firewall,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)"
SSH access from the Internet should be blocked,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)"
Internet-facing virtual machines should be protected with network security groups,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)"
Management ports of virtual machines should be protected with just-in-time network access control,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)"
Role-Based Access Control should be used on Kubernetes Services,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)"
External accounts with read permissions should be removed from your subscription,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)"
External accounts with write permissions should be removed from your subscription,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)"
Windows machines should meet requirements for 'Security Options - User Account Control',Access Control,AC.2.008,ML-2,3.1.6,AC-6(2)
Windows machines should meet requirements for 'User Rights Assignment',Access Control,AC.2.008,ML-2,3.1.6,AC-6(2)
Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1)
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1)
Windows machines should meet requirements for 'Security Options - Network Security',Access Control,AC.2.013,ML-2,3.1.12,AC-17(1)
Audit Linux machines that allow remote connections from accounts without passwords,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1)
RDP access from the Internet should be blocked,Access Control,AC.2.015,ML-2,3.1.14,AC-17(3)
Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.2.016,ML-2,3.1.3,AC-4
Storage account public access should be disallowed,Access Control,AC.2.016,ML-2,3.1.3,AC-4
Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.2.016,ML-2,3.1.3,AC-4
RDP access from the Internet should be blocked,Access Control,AC.2.016,ML-2,3.1.3,AC-4
Adaptive network hardening recommendations should be applied on internet facing virtual machines,Access Control,AC.2.016,ML-2,3.1.3,AC-4
Audit Windows machines missing any of specified members in the Administrators group,Access Control,AC.3.017,ML-3,3.1.4,AC-5
Audit Windows machines that have the specified members in the Administrators group,Access Control,AC.3.017,ML-3,3.1.4,AC-5
A maximum of 3 owners should be designated for your subscription,Access Control,AC.3.017,ML-3,3.1.4,AC-5
There should be more than one owner assigned to your subscription,Access Control,AC.3.017,ML-3,3.1.4,AC-5
Windows machines should meet requirements for 'System Audit Policies - Privilege Use',Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)"
An activity log alert should exist for Delete SQL Server Firewall Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)"
An activity log alert should exist for the Delete Network Security Group Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)"
An activity log alert should exist for Delete Network Security Solution,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)"
An activity log alert should exist for the Delete Classic Network Security Group Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)"
Guest Configuration extension should be installed on your machines,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4)
Windows machines should meet requirements for 'Security Options - User Account Control',Access Control,AC.3.021,ML-3,3.1.15,AC-17(4)
Windows machines should meet requirements for 'User Rights Assignment',Access Control,AC.3.021,ML-3,3.1.15,AC-17(4)
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4)
Audit diagnostic setting,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
An activity log alert should exist for Delete SQL Server Firewall Rule,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
An activity log alert should exist for the Delete Network Security Group Rule,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
Audit diagnostic setting,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
An activity log alert should exist for Delete SQL Server Firewall Rule,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
An activity log alert should exist for the Delete Network Security Group Rule,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12"
Audit diagnostic setting,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5
Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5
[Preview]: Log Analytics Agent should be enabled for listed virtual machine images,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5
Audit diagnostic setting,Audit & Accountability,AU.3.048,ML-3,,AU-6(4)
Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.3.048,ML-3,,AU-6(4)
The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.3.048,ML-3,,AU-6(4)
Diagnostic logs should be enabled in App Service,Audit & Accountability,AU.3.048,ML-3,,AU-6(4)
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Audit & Accountability,AU.3.048,ML-3,,AU-6(4)
Audit diagnostic setting,Audit & Accountability,AU.3.047,ML-3,3.3.8,"AU-6(7), AU-9"
An activity log alert should exist for specific Policy operations,Audit & Accountability,AU.3.047,ML-3,3.3.8,"AU-6(7), AU-9"
Adaptive application controls for defining safe applications should be enabled on your machines,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2"
Vulnerabilities in your virtual machines should be remediated,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2"
Endpoint protection health issues should be resolved on your machines,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2"
Vulnerability assessment should be enabled on your SQL servers,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2"
An activity log alert should exist for Delete Security Solution,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2"
Adaptive application controls for defining safe applications should be enabled on your machines,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2"
Vulnerabilities in your virtual machines should be remediated,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2"
Endpoint protection health issues should be resolved on your machines,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2"
Vulnerability assessment should be enabled on your SQL servers,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2"
An activity log alert should exist for Delete Security Solution,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2"
Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.2.061,ML-2,3.4.1,"CM-2, CM-6, CM-8, CM-8(1)"
An activity log alert should exist for specific Policy operations,Configuration Management,CM.2.061,ML-2,3.4.1,"CM-2, CM-6, CM-8, CM-8(1)"
Windows machines should meet requirements for 'System Audit Policies - Privilege Use',Configuration Management,CM.2.062,ML-2,3.4.6,CM-7
Role-Based Access Control should be used on Kubernetes Services,Configuration Management,CM.2.062,ML-2,3.4.6,CM-7
Windows machines should meet requirements for 'Security Options - User Account Control',Configuration Management,CM.2.063,ML-2,3.4.9,CM-11
Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11
Allowlist rules in your adaptive application control policy should be updated,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11
Security Center standard pricing tier should be selected,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11
Windows machines should meet requirements for 'Security Options - Network Security',Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)"
Firewall should be enabled on Key Vault,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)"
All network ports should be restricted on network security groups associated to your virtual machine,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)"
Virtual networks should be protected by Azure Firewall,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)"
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)"
Windows machines should meet requirements for 'System Audit Policies - Policy Change',Configuration Management,CM.2.065,ML-2,3.4.3,CM-3
An activity log alert should exist for Delete SQL Server Firewall Rule,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3
An activity log alert should exist for the Delete Network Security Group Rule,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3
An activity log alert should exist for Delete Network Security Solution,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3
Azure Monitor should collect activity logs from all regions,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3
Access to storage accounts with firewall and virtual network configurations should be restricted,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)"
Storage account public access should be disallowed,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)"
Non-internet-facing virtual machines should be protected with network security groups,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)"
Subnets should be associated with a network security group,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)"
Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)"
Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.3.069,ML-3,3.4.8,"CM-7(4), CM-7(5)"
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5"
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5"
Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5"
Audit Linux machines that have accounts without passwords,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5"
Audit Linux machines that do not have the passwd file permissions set to 0644,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5"
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1)
Audit Windows machines that do not restrict the minimum password length to 14 characters,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1)
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1)
Audit Windows machines that do not have the password complexity setting enabled,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1)
Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1)
Audit Windows machines that allow re-use of the previous 24 passwords,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1)
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1)
Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1)
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1)
Audit Windows machines that do not store passwords using reversible encryption,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1)
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1)
Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1)
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1)
MFA should be enabled on accounts with owner permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)"
MFA should be enabled on accounts with write permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)"
MFA should be enabled on accounts with read permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)"
Function App should only be accessible over HTTPS,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)"
Web Application should only be accessible over HTTPS,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)"
MFA should be enabled on accounts with owner permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)"
MFA should be enabled on accounts with write permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)"
MFA should be enabled on accounts with read permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)"
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7"
Subscriptions should have a contact email address for security issues,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7"
Email notification to subscription owner for high severity alerts should be enabled,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7"
Email notification for high severity alerts should be enabled,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7"
Flow logs should be configured for every network security group,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6"
Firewall should be enabled on Key Vault,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6"
Endpoint protection health issues should be resolved on your machines,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6"
Virtual networks should be protected by Azure Firewall,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6"
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6"
Audit virtual machines without disaster recovery configured,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)"
Azure Backup should be enabled for virtual machines,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)"
Long-term geo-redundant backup should be enabled for Azure SQL Databases,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)"
Geo-redundant backup should be enabled for Azure Database for PostgreSQL,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)"
Geo-redundant backup should be enabled for Azure Database for MySQL,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)"
Audit virtual machines without disaster recovery configured,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)"
Azure Backup should be enabled for virtual machines,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)"
Long-term geo-redundant backup should be enabled for Azure SQL Databases,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)"
Geo-redundant backup should be enabled for Azure Database for PostgreSQL,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)"
Geo-redundant backup should be enabled for Azure Database for MySQL,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)"
Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.141,ML-2,3.11.1,RA-3
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.141,ML-2,3.11.1,RA-3
Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.141,ML-2,3.11.1,RA-3
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Risk Management,RM.2.141,ML-2,3.11.1,RA-3
Vulnerability assessment should be enabled on your SQL managed instances,Risk Management,RM.2.141,ML-2,3.11.1,RA-3
Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)"
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)"
Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)"
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)"
Vulnerability assessment should be enabled on your SQL managed instances,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)"
Vulnerabilities in security configuration on your machines should be remediated,Risk Management,RM.2.143,ML-2,3.11.3,RA-5
Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.143,ML-2,3.11.3,RA-5
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.143,ML-2,3.11.3,RA-5
Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.143,ML-2,3.11.3,RA-5
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys),Risk Management,RM.2.143,ML-2,3.11.3,RA-5
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20"
Azure Defender for Key Vault should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20"
Azure Defender for Kubernetes should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20"
Azure Defender for SQL servers on machines should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20"
Azure Defender for Azure SQL Database servers should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20"
Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8"
Storage account public access should be disallowed,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8"
Windows machines should meet requirements for 'Security Options - Network Access',System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8"
Windows machines should meet requirements for 'Security Options - Network Security',System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8"
Non-internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8"
Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7
Subnets should be associated with a network security group,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7
Adaptive network hardening recommendations should be applied on internet facing virtual machines,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7
All network ports should be restricted on network security groups associated to your virtual machine,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7
Internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7
Management ports of virtual machines should be protected with just-in-time network access control,System & Communications Protection,SC.2.179,ML-2,,
[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13
Storage accounts should have infrastructure encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13
"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13
Audit Windows machines that do not store passwords using reversible encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13
Unattached disks should be encrypted,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13
Subnets should be associated with a network security group,System & Communications Protection,SC.3.180,ML-3,3.13.2,"SC-7, SA-8"
Audit Windows machines that have the specified members in the Administrators group,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2
External accounts with owner permissions should be removed from your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2
A maximum of 3 owners should be designated for your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2
An Azure Active Directory administrator should be provisioned for SQL servers,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2
Deprecated accounts with owner permissions should be removed from your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2
Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5)
Storage account public access should be disallowed,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5)
Windows machines should meet requirements for 'Security Options - Network Access',System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5)
Windows machines should meet requirements for 'Security Options - Network Security',System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5)
Non-internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5)
Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)"
Function App should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)"
Secure transfer to storage accounts should be enabled,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)"
Web Application should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)"
API App should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)"
Key vaults should have purge protection enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12
Firewall should be enabled on Key Vault,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12
Key vaults should have soft delete enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12
Azure Defender for Key Vault should be enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12
Keys using RSA cryptography should have a specified minimum key size,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12
Function App should only be accessible over HTTPS,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23
Web Application should only be accessible over HTTPS,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23
MFA should be enabled on accounts with owner permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23
MFA should be enabled on accounts with write permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23
MFA should be enabled on accounts with read permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23
Storage accounts should have infrastructure encryption,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28
Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28
"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28
Unattached disks should be encrypted,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28
Double encryption should be enabled on Azure Data Explorer,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28
Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5"
Vulnerabilities in security configuration on your machines should be remediated,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5"
"Ensure that 'HTTP Version' is the latest, if used to run the Function app",System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5"
Python should be updated to the latest version for your function app,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5"
"Ensure that 'HTTP Version' is the latest, if used to run the Web app",System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5"
Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5"
Microsoft IaaSAntimalware extension should be deployed on Windows servers,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5"
Endpoint protection health issues should be resolved on your machines,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5"
Endpoint protection health failures should be remediated on virtual machine scale sets,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5"
Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.212,ML-1,3.14.4,SI-3
Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3
Microsoft IaaSAntimalware extension should be deployed on Windows servers,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3
Endpoint protection health issues should be resolved on your machines,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3
Azure Defender for Key Vault should be enabled,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3
Azure Defender for Kubernetes should be enabled,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3
Flow logs should be configured for every network security group,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)"
Virtual networks should be protected by Azure Firewall,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)"
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)"
Web Application Firewall (WAF) should be enabled for Application Gateway,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)"
An activity log alert should exist for Delete SQL Server Firewall Rule,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)"
An activity log alert should exist for Delete SQL Server Firewall Rule,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4
An activity log alert should exist for the Delete Network Security Group Rule,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4
An activity log alert should exist for Delete Network Security Solution,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4
Activity log should be retained for at least one year,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4
Azure Monitor should collect activity logs from all regions,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4A1:F242
1 RecommendationName ControlFamily ControlNumber MaturityLevel 800171Map 80053Map
2 Access to storage accounts with firewall and virtual network configurations should be restricted Access Control AC.1.001 ML-1 3.1.1 AC-2, AC-3, AC-17
3 Storage account public access should be disallowed Access Control AC.1.001 ML-1 3.1.1 AC-2, AC-3, AC-17
4 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Access Control AC.1.001 ML-1 3.1.1 AC-2, AC-3, AC-17
5 Windows machines should meet requirements for 'Security Options - Network Access' Access Control AC.1.001 ML-1 3.1.1 AC-2, AC-3, AC-17
6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Access Control AC.1.001 ML-1 3.1.1 AC-2, AC-3, AC-17
7 Access to storage accounts with firewall and virtual network configurations should be restricted Access Control AC.1.002 ML-1 3.1.2 AC-2, AC-3, AC-17
8 Storage account public access should be disallowed Access Control AC.1.002 ML-1 3.1.2 AC-2, AC-3, AC-17
9 Windows machines should meet requirements for 'Security Options - Network Access' Access Control AC.1.002 ML-1 3.1.2 AC-2, AC-3, AC-17
10 Firewall should be enabled on Key Vault Access Control AC.1.002 ML-1 3.1.2 AC-2, AC-3, AC-17
11 Audit Linux machines that allow remote connections from accounts without passwords Access Control AC.1.002 ML-1 3.1.2 AC-2, AC-3, AC-17
12 RDP access from the Internet should be blocked Access Control AC.1.003 ML-1 3.1.20 AC-20, AC-20(1)
13 Adaptive network hardening recommendations should be applied on internet facing virtual machines Access Control AC.1.003 ML-1 3.1.20 AC-20, AC-20(1)
14 Virtual networks should be protected by Azure Firewall Access Control AC.1.003 ML-1 3.1.20 AC-20, AC-20(1)
15 SSH access from the Internet should be blocked Access Control AC.1.003 ML-1 3.1.20 AC-20, AC-20(1)
16 Internet-facing virtual machines should be protected with network security groups Access Control AC.1.003 ML-1 3.1.20 AC-20, AC-20(1)
17 Management ports of virtual machines should be protected with just-in-time network access control Access Control AC.2.007 ML-2 3.1.5 AC-6, AC-6(1), AC-6(5)
18 Role-Based Access Control should be used on Kubernetes Services Access Control AC.2.007 ML-2 3.1.5 AC-6, AC-6(1), AC-6(5)
19 External accounts with read permissions should be removed from your subscription Access Control AC.2.007 ML-2 3.1.5 AC-6, AC-6(1), AC-6(5)
20 External accounts with write permissions should be removed from your subscription Access Control AC.2.007 ML-2 3.1.5 AC-6, AC-6(1), AC-6(5)
21 Windows machines should meet requirements for 'Security Options - User Account Control' Access Control AC.2.008 ML-2 3.1.6 AC-6(2)
22 Windows machines should meet requirements for 'User Rights Assignment' Access Control AC.2.008 ML-2 3.1.6 AC-6(2)
23 Access to storage accounts with firewall and virtual network configurations should be restricted Access Control AC.2.013 ML-2 3.1.12 AC-17(1)
24 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Access Control AC.2.013 ML-2 3.1.12 AC-17(1)
25 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Access Control AC.2.013 ML-2 3.1.12 AC-17(1)
26 Windows machines should meet requirements for 'Security Options - Network Security' Access Control AC.2.013 ML-2 3.1.12 AC-17(1)
27 Audit Linux machines that allow remote connections from accounts without passwords Access Control AC.2.013 ML-2 3.1.12 AC-17(1)
28 RDP access from the Internet should be blocked Access Control AC.2.015 ML-2 3.1.14 AC-17(3)
29 Access to storage accounts with firewall and virtual network configurations should be restricted Access Control AC.2.016 ML-2 3.1.3 AC-4
30 Storage account public access should be disallowed Access Control AC.2.016 ML-2 3.1.3 AC-4
31 Windows machines should meet requirements for 'Security Options - Network Access' Access Control AC.2.016 ML-2 3.1.3 AC-4
32 RDP access from the Internet should be blocked Access Control AC.2.016 ML-2 3.1.3 AC-4
33 Adaptive network hardening recommendations should be applied on internet facing virtual machines Access Control AC.2.016 ML-2 3.1.3 AC-4
34 Audit Windows machines missing any of specified members in the Administrators group Access Control AC.3.017 ML-3 3.1.4 AC-5
35 Audit Windows machines that have the specified members in the Administrators group Access Control AC.3.017 ML-3 3.1.4 AC-5
36 A maximum of 3 owners should be designated for your subscription Access Control AC.3.017 ML-3 3.1.4 AC-5
37 There should be more than one owner assigned to your subscription Access Control AC.3.017 ML-3 3.1.4 AC-5
38 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Access Control AC.3.018 ML-3 3.1.7 AC-6(9), AC-6(10)
39 An activity log alert should exist for Delete SQL Server Firewall Rule Access Control AC.3.018 ML-3 3.1.7 AC-6(9), AC-6(10)
40 An activity log alert should exist for the Delete Network Security Group Rule Access Control AC.3.018 ML-3 3.1.7 AC-6(9), AC-6(10)
41 An activity log alert should exist for Delete Network Security Solution Access Control AC.3.018 ML-3 3.1.7 AC-6(9), AC-6(10)
42 An activity log alert should exist for the Delete Classic Network Security Group Rule Access Control AC.3.018 ML-3 3.1.7 AC-6(9), AC-6(10)
43 Guest Configuration extension should be installed on your machines Access Control AC.3.021 ML-3 3.1.15 AC-17(4)
44 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Access Control AC.3.021 ML-3 3.1.15 AC-17(4)
45 Windows machines should meet requirements for 'Security Options - User Account Control' Access Control AC.3.021 ML-3 3.1.15 AC-17(4)
46 Windows machines should meet requirements for 'User Rights Assignment' Access Control AC.3.021 ML-3 3.1.15 AC-17(4)
47 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Access Control AC.3.021 ML-3 3.1.15 AC-17(4)
48 Audit diagnostic setting Audit & Accountability AU.2.041 ML-2 3.3.2 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
49 Virtual machines should be connected to a specified workspace Audit & Accountability AU.2.041 ML-2 3.3.2 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
50 The Log Analytics agent should be installed on virtual machines Audit & Accountability AU.2.041 ML-2 3.3.2 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
51 An activity log alert should exist for Delete SQL Server Firewall Rule Audit & Accountability AU.2.041 ML-2 3.3.2 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
52 An activity log alert should exist for the Delete Network Security Group Rule Audit & Accountability AU.2.041 ML-2 3.3.2 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
53 Audit diagnostic setting Audit & Accountability AU.2.042 ML-2 3.3.1 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
54 Virtual machines should be connected to a specified workspace Audit & Accountability AU.2.042 ML-2 3.3.1 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
55 The Log Analytics agent should be installed on virtual machines Audit & Accountability AU.2.042 ML-2 3.3.1 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
56 An activity log alert should exist for Delete SQL Server Firewall Rule Audit & Accountability AU.2.042 ML-2 3.3.1 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
57 An activity log alert should exist for the Delete Network Security Group Rule Audit & Accountability AU.2.042 ML-2 3.3.1 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12
58 Audit diagnostic setting Audit & Accountability AU.3.046 ML-3 3.3.4 AU-5
59 Virtual machines should be connected to a specified workspace Audit & Accountability AU.3.046 ML-3 3.3.4 AU-5
60 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit & Accountability AU.3.046 ML-3 3.3.4 AU-5
61 Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Audit & Accountability AU.3.046 ML-3 3.3.4 AU-5
62 [Preview]: Log Analytics Agent should be enabled for listed virtual machine images Audit & Accountability AU.3.046 ML-3 3.3.4 AU-5
63 Audit diagnostic setting Audit & Accountability AU.3.048 ML-3 AU-6(4)
64 Virtual machines should be connected to a specified workspace Audit & Accountability AU.3.048 ML-3 AU-6(4)
65 The Log Analytics agent should be installed on virtual machines Audit & Accountability AU.3.048 ML-3 AU-6(4)
66 Diagnostic logs should be enabled in App Service Audit & Accountability AU.3.048 ML-3 AU-6(4)
67 Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Audit & Accountability AU.3.048 ML-3 AU-6(4)
68 Audit diagnostic setting Audit & Accountability AU.3.047 ML-3 3.3.8 AU-6(7), AU-9
69 An activity log alert should exist for specific Policy operations Audit & Accountability AU.3.047 ML-3 3.3.8 AU-6(7), AU-9
70 Adaptive application controls for defining safe applications should be enabled on your machines Security Assessment CA.2.158 ML-2 3.12.1 CA-2, CA-5, CA-7, PL-2
71 Vulnerabilities in your virtual machines should be remediated Security Assessment CA.2.158 ML-2 3.12.1 CA-2, CA-5, CA-7, PL-2
72 Endpoint protection health issues should be resolved on your machines Security Assessment CA.2.158 ML-2 3.12.1 CA-2, CA-5, CA-7, PL-2
73 Vulnerability assessment should be enabled on your SQL servers Security Assessment CA.2.158 ML-2 3.12.1 CA-2, CA-5, CA-7, PL-2
74 An activity log alert should exist for Delete Security Solution Security Assessment CA.2.158 ML-2 3.12.1 CA-2, CA-5, CA-7, PL-2
75 Adaptive application controls for defining safe applications should be enabled on your machines Security Assessment CA.3.161 ML-3 3.12.3 CA-2, CA-5, CA-7, PL-2
76 Vulnerabilities in your virtual machines should be remediated Security Assessment CA.3.161 ML-3 3.12.3 CA-2, CA-5, CA-7, PL-2
77 Endpoint protection health issues should be resolved on your machines Security Assessment CA.3.161 ML-3 3.12.3 CA-2, CA-5, CA-7, PL-2
78 Vulnerability assessment should be enabled on your SQL servers Security Assessment CA.3.161 ML-3 3.12.3 CA-2, CA-5, CA-7, PL-2
79 An activity log alert should exist for Delete Security Solution Security Assessment CA.3.161 ML-3 3.12.3 CA-2, CA-5, CA-7, PL-2
80 Adaptive application controls for defining safe applications should be enabled on your machines Configuration Management CM.2.061 ML-2 3.4.1 CM-2, CM-6, CM-8, CM-8(1)
81 An activity log alert should exist for specific Policy operations Configuration Management CM.2.061 ML-2 3.4.1 CM-2, CM-6, CM-8, CM-8(1)
82 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Configuration Management CM.2.062 ML-2 3.4.6 CM-7
83 Role-Based Access Control should be used on Kubernetes Services Configuration Management CM.2.062 ML-2 3.4.6 CM-7
84 Windows machines should meet requirements for 'Security Options - User Account Control' Configuration Management CM.2.063 ML-2 3.4.9 CM-11
85 Adaptive application controls for defining safe applications should be enabled on your machines Configuration Management CM.2.063 ML-2 3.4.9 CM-11
86 Allowlist rules in your adaptive application control policy should be updated Configuration Management CM.2.063 ML-2 3.4.9 CM-11
87 Security Center standard pricing tier should be selected Configuration Management CM.2.063 ML-2 3.4.9 CM-11
88 Windows machines should meet requirements for 'Security Options - Network Security' Configuration Management CM.2.064 ML-2 3.4.2 CM-2, CM-6,CM-8,CM-8(1)
89 Firewall should be enabled on Key Vault Configuration Management CM.2.064 ML-2 3.4.2 CM-2, CM-6,CM-8,CM-8(1)
90 All network ports should be restricted on network security groups associated to your virtual machine Configuration Management CM.2.064 ML-2 3.4.2 CM-2, CM-6,CM-8,CM-8(1)
91 Virtual networks should be protected by Azure Firewall Configuration Management CM.2.064 ML-2 3.4.2 CM-2, CM-6,CM-8,CM-8(1)
92 Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Configuration Management CM.2.064 ML-2 3.4.2 CM-2, CM-6,CM-8,CM-8(1)
93 Windows machines should meet requirements for 'System Audit Policies - Policy Change' Configuration Management CM.2.065 ML-2 3.4.3 CM-3
94 An activity log alert should exist for Delete SQL Server Firewall Rule Configuration Management CM.2.065 ML-2 3.4.3 CM-3
95 An activity log alert should exist for the Delete Network Security Group Rule Configuration Management CM.2.065 ML-2 3.4.3 CM-3
96 An activity log alert should exist for Delete Network Security Solution Configuration Management CM.2.065 ML-2 3.4.3 CM-3
97 Azure Monitor should collect activity logs from all regions Configuration Management CM.2.065 ML-2 3.4.3 CM-3
98 Access to storage accounts with firewall and virtual network configurations should be restricted Configuration Management CM.3.068 ML-3 3.4.7 CM-7(1), CM-7(2)
99 Storage account public access should be disallowed Configuration Management CM.3.068 ML-3 3.4.7 CM-7(1), CM-7(2)
100 Non-internet-facing virtual machines should be protected with network security groups Configuration Management CM.3.068 ML-3 3.4.7 CM-7(1), CM-7(2)
101 Subnets should be associated with a network security group Configuration Management CM.3.068 ML-3 3.4.7 CM-7(1), CM-7(2)
102 Adaptive application controls for defining safe applications should be enabled on your machines Configuration Management CM.3.068 ML-3 3.4.7 CM-7(1), CM-7(2)
103 Adaptive application controls for defining safe applications should be enabled on your machines Configuration Management CM.3.069 ML-3 3.4.8 CM-7(4), CM-7(5)
104 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Identification & Authentication IA.1.077 ML-1 3.5.2 IA-2, IA-3, IA-5
105 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Identification & Authentication IA.1.077 ML-1 3.5.2 IA-2, IA-3, IA-5
106 Windows machines should meet requirements for 'Security Options - Network Security' Identification & Authentication IA.1.077 ML-1 3.5.2 IA-2, IA-3, IA-5
107 Audit Linux machines that have accounts without passwords Identification & Authentication IA.1.077 ML-1 3.5.2 IA-2, IA-3, IA-5
108 Audit Linux machines that do not have the passwd file permissions set to 0644 Identification & Authentication IA.1.077 ML-1 3.5.2 IA-2, IA-3, IA-5
109 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Identification & Authentication IA.2.078 ML-2 3.5.7 IA-5(1)
110 Audit Windows machines that do not restrict the minimum password length to 14 characters Identification & Authentication IA.2.078 ML-2 3.5.7 IA-5(1)
111 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Identification & Authentication IA.2.078 ML-2 3.5.7 IA-5(1)
112 Audit Windows machines that do not have the password complexity setting enabled Identification & Authentication IA.2.078 ML-2 3.5.7 IA-5(1)
113 Windows machines should meet requirements for 'Security Options - Network Security' Identification & Authentication IA.2.078 ML-2 3.5.7 IA-5(1)
114 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Identification & Authentication IA.2.079 ML-2 3.5.8 IA-5(1)
115 Audit Windows machines that allow re-use of the previous 24 passwords Identification & Authentication IA.2.079 ML-2 3.5.8 IA-5(1)
116 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Identification & Authentication IA.2.079 ML-2 3.5.8 IA-5(1)
117 Windows machines should meet requirements for 'Security Options - Network Security' Identification & Authentication IA.2.079 ML-2 3.5.8 IA-5(1)
118 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity Identification & Authentication IA.2.079 ML-2 3.5.8 IA-5(1)
119 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities Identification & Authentication IA.2.079 ML-2 3.5.10 IA-5(1)
120 Audit Windows machines that do not store passwords using reversible encryption Identification & Authentication IA.2.079 ML-2 3.5.10 IA-5(1)
121 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs Identification & Authentication IA.2.079 ML-2 3.5.10 IA-5(1)
122 Windows machines should meet requirements for 'Security Options - Network Security' Identification & Authentication IA.2.079 ML-2 3.5.10 IA-5(1)
123 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity Identification & Authentication IA.2.079 ML-2 3.5.10 IA-5(1)
124 MFA should be enabled on accounts with owner permissions on your subscription Identification & Authentication IA.3.083 ML-3 3.5.3 IA-2(1), IA-2(2), IA-2(3)
125 MFA should be enabled on accounts with write permissions on your subscription Identification & Authentication IA.3.083 ML-3 3.5.3 IA-2(1), IA-2(2), IA-2(3)
126 MFA should be enabled on accounts with read permissions on your subscription Identification & Authentication IA.3.083 ML-3 3.5.3 IA-2(1), IA-2(2), IA-2(3)
127 Function App should only be accessible over HTTPS Identification & Authentication IA.3.084 ML-3 3.5.4 IA-2(8),IA-2(9)
128 Web Application should only be accessible over HTTPS Identification & Authentication IA.3.084 ML-3 3.5.4 IA-2(8),IA-2(9)
129 MFA should be enabled on accounts with owner permissions on your subscription Identification & Authentication IA.3.084 ML-3 3.5.4 IA-2(8),IA-2(9)
130 MFA should be enabled on accounts with write permissions on your subscription Identification & Authentication IA.3.084 ML-3 3.5.4 IA-2(8),IA-2(9)
131 MFA should be enabled on accounts with read permissions on your subscription Identification & Authentication IA.3.084 ML-3 3.5.4 IA-2(8),IA-2(9)
132 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Incident Response IR.2.092 ML-2 3.6.1 IR-2, IR-4, IR-5, IR-6, IR-7
133 Subscriptions should have a contact email address for security issues Incident Response IR.2.092 ML-2 3.6.1 IR-2, IR-4, IR-5, IR-6, IR-7
134 Email notification to subscription owner for high severity alerts should be enabled Incident Response IR.2.092 ML-2 3.6.1 IR-2, IR-4, IR-5, IR-6, IR-7
135 Email notification for high severity alerts should be enabled Incident Response IR.2.092 ML-2 3.6.1 IR-2, IR-4, IR-5, IR-6, IR-7
136 Flow logs should be configured for every network security group Incident Response IR.2.093 ML-2 AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6
137 Firewall should be enabled on Key Vault Incident Response IR.2.093 ML-2 AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6
138 Endpoint protection health issues should be resolved on your machines Incident Response IR.2.093 ML-2 AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6
139 Virtual networks should be protected by Azure Firewall Incident Response IR.2.093 ML-2 AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6
140 Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Incident Response IR.2.093 ML-2 AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6
141 Audit virtual machines without disaster recovery configured Recovery RE.2.137 ML-2 CP-9, CP-9(1)
142 Azure Backup should be enabled for virtual machines Recovery RE.2.137 ML-2 CP-9, CP-9(1)
143 Long-term geo-redundant backup should be enabled for Azure SQL Databases Recovery RE.2.137 ML-2 CP-9, CP-9(1)
144 Geo-redundant backup should be enabled for Azure Database for PostgreSQL Recovery RE.2.137 ML-2 CP-9, CP-9(1)
145 Geo-redundant backup should be enabled for Azure Database for MySQL Recovery RE.2.137 ML-2 CP-9, CP-9(1)
146 Audit virtual machines without disaster recovery configured Recovery RE.3.139 ML-3 CP-9, CP-9(3), CP-9(5)
147 Azure Backup should be enabled for virtual machines Recovery RE.3.139 ML-3 CP-9, CP-9(3), CP-9(5)
148 Long-term geo-redundant backup should be enabled for Azure SQL Databases Recovery RE.3.139 ML-3 CP-9, CP-9(3), CP-9(5)
149 Geo-redundant backup should be enabled for Azure Database for PostgreSQL Recovery RE.3.139 ML-3 CP-9, CP-9(3), CP-9(5)
150 Geo-redundant backup should be enabled for Azure Database for MySQL Recovery RE.3.139 ML-3 CP-9, CP-9(3), CP-9(5)
151 Vulnerabilities in your virtual machines should be remediated Risk Management RM.2.141 ML-2 3.11.1 RA-3
152 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Risk Management RM.2.141 ML-2 3.11.1 RA-3
153 Vulnerability assessment should be enabled on your SQL servers Risk Management RM.2.141 ML-2 3.11.1 RA-3
154 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Risk Management RM.2.141 ML-2 3.11.1 RA-3
155 Vulnerability assessment should be enabled on your SQL managed instances Risk Management RM.2.141 ML-2 3.11.1 RA-3
156 Vulnerabilities in your virtual machines should be remediated Risk Management RM.2.142 ML-2 3.11.2 RA-5, RA-5(5)
157 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Risk Management RM.2.142 ML-2 3.11.2 RA-5, RA-5(5)
158 Vulnerability assessment should be enabled on your SQL servers Risk Management RM.2.142 ML-2 3.11.2 RA-5, RA-5(5)
159 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Risk Management RM.2.142 ML-2 3.11.2 RA-5, RA-5(5)
160 Vulnerability assessment should be enabled on your SQL managed instances Risk Management RM.2.142 ML-2 3.11.2 RA-5, RA-5(5)
161 Vulnerabilities in security configuration on your machines should be remediated Risk Management RM.2.143 ML-2 3.11.3 RA-5
162 Vulnerabilities in your virtual machines should be remediated Risk Management RM.2.143 ML-2 3.11.3 RA-5
163 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Risk Management RM.2.143 ML-2 3.11.3 RA-5
164 Vulnerability assessment should be enabled on your SQL servers Risk Management RM.2.143 ML-2 3.11.3 RA-5
165 Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) Risk Management RM.2.143 ML-2 3.11.3 RA-5
166 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Risk Management RM.3.144 ML-3 CA-2, PM-9, RA-3, SA-20
167 Azure Defender for Key Vault should be enabled Risk Management RM.3.144 ML-3 CA-2, PM-9, RA-3, SA-20
168 Azure Defender for Kubernetes should be enabled Risk Management RM.3.144 ML-3 CA-2, PM-9, RA-3, SA-20
169 Azure Defender for SQL servers on machines should be enabled Risk Management RM.3.144 ML-3 CA-2, PM-9, RA-3, SA-20
170 Azure Defender for Azure SQL Database servers should be enabled Risk Management RM.3.144 ML-3 CA-2, PM-9, RA-3, SA-20
171 Access to storage accounts with firewall and virtual network configurations should be restricted System & Communications Protection SC.1.175 ML-1 3.13.1 SC-7, SA-8
172 Storage account public access should be disallowed System & Communications Protection SC.1.175 ML-1 3.13.1 SC-7, SA-8
173 Windows machines should meet requirements for 'Security Options - Network Access' System & Communications Protection SC.1.175 ML-1 3.13.1 SC-7, SA-8
174 Windows machines should meet requirements for 'Security Options - Network Security' System & Communications Protection SC.1.175 ML-1 3.13.1 SC-7, SA-8
175 Non-internet-facing virtual machines should be protected with network security groups System & Communications Protection SC.1.175 ML-1 3.13.1 SC-7, SA-8
176 Access to storage accounts with firewall and virtual network configurations should be restricted System & Communications Protection SC.1.176 ML-1 3.13.5 SC-7
177 Subnets should be associated with a network security group System & Communications Protection SC.1.176 ML-1 3.13.5 SC-7
178 Adaptive network hardening recommendations should be applied on internet facing virtual machines System & Communications Protection SC.1.176 ML-1 3.13.5 SC-7
179 All network ports should be restricted on network security groups associated to your virtual machine System & Communications Protection SC.1.176 ML-1 3.13.5 SC-7
180 Internet-facing virtual machines should be protected with network security groups System & Communications Protection SC.1.176 ML-1 3.13.5 SC-7
181 Management ports of virtual machines should be protected with just-in-time network access control System & Communications Protection SC.2.179 ML-2
182 [Enable if required] Storage accounts should use customer-managed key (CMK) for encryption System & Communications Protection SC.3.177 ML-3 3.13.11 SC-13
183 Storage accounts should have infrastructure encryption System & Communications Protection SC.3.177 ML-3 3.13.11 SC-13
184 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources System & Communications Protection SC.3.177 ML-3 3.13.11 SC-13
185 Audit Windows machines that do not store passwords using reversible encryption System & Communications Protection SC.3.177 ML-3 3.13.11 SC-13
186 Unattached disks should be encrypted System & Communications Protection SC.3.177 ML-3 3.13.11 SC-13
187 Subnets should be associated with a network security group System & Communications Protection SC.3.180 ML-3 3.13.2 SC-7, SA-8
188 Audit Windows machines that have the specified members in the Administrators group System & Communications Protection SC.3.181 ML-3 3.13.3 SC-2
189 External accounts with owner permissions should be removed from your subscription System & Communications Protection SC.3.181 ML-3 3.13.3 SC-2
190 A maximum of 3 owners should be designated for your subscription System & Communications Protection SC.3.181 ML-3 3.13.3 SC-2
191 An Azure Active Directory administrator should be provisioned for SQL servers System & Communications Protection SC.3.181 ML-3 3.13.3 SC-2
192 Deprecated accounts with owner permissions should be removed from your subscription System & Communications Protection SC.3.181 ML-3 3.13.3 SC-2
193 Access to storage accounts with firewall and virtual network configurations should be restricted System & Communications Protection SC.3.183 ML-3 3.13.6 SC-7(5)
194 Storage account public access should be disallowed System & Communications Protection SC.3.183 ML-3 3.13.6 SC-7(5)
195 Windows machines should meet requirements for 'Security Options - Network Access' System & Communications Protection SC.3.183 ML-3 3.13.6 SC-7(5)
196 Windows machines should meet requirements for 'Security Options - Network Security' System & Communications Protection SC.3.183 ML-3 3.13.6 SC-7(5)
197 Non-internet-facing virtual machines should be protected with network security groups System & Communications Protection SC.3.183 ML-3 3.13.6 SC-7(5)
198 Access to storage accounts with firewall and virtual network configurations should be restricted System & Communications Protection SC.3.185 ML-3 3.13.8 SC-8, SC-8(1)
199 Function App should only be accessible over HTTPS System & Communications Protection SC.3.185 ML-3 3.13.8 SC-8, SC-8(1)
200 Secure transfer to storage accounts should be enabled System & Communications Protection SC.3.185 ML-3 3.13.8 SC-8, SC-8(1)
201 Web Application should only be accessible over HTTPS System & Communications Protection SC.3.185 ML-3 3.13.8 SC-8, SC-8(1)
202 API App should only be accessible over HTTPS System & Communications Protection SC.3.185 ML-3 3.13.8 SC-8, SC-8(1)
203 Key vaults should have purge protection enabled System & Communications Protection SC.3.187 ML-3 3.13.10 SC-12
204 Firewall should be enabled on Key Vault System & Communications Protection SC.3.187 ML-3 3.13.10 SC-12
205 Key vaults should have soft delete enabled System & Communications Protection SC.3.187 ML-3 3.13.10 SC-12
206 Azure Defender for Key Vault should be enabled System & Communications Protection SC.3.187 ML-3 3.13.10 SC-12
207 Keys using RSA cryptography should have a specified minimum key size System & Communications Protection SC.3.187 ML-3 3.13.10 SC-12
208 Function App should only be accessible over HTTPS System & Communications Protection SC.3.190 ML-3 3.13.15 SC-23
209 Web Application should only be accessible over HTTPS System & Communications Protection SC.3.190 ML-3 3.13.15 SC-23
210 MFA should be enabled on accounts with owner permissions on your subscription System & Communications Protection SC.3.190 ML-3 3.13.15 SC-23
211 MFA should be enabled on accounts with write permissions on your subscription System & Communications Protection SC.3.190 ML-3 3.13.15 SC-23
212 MFA should be enabled on accounts with read permissions on your subscription System & Communications Protection SC.3.190 ML-3 3.13.15 SC-23
213 Storage accounts should have infrastructure encryption System & Communications Protection SC.3.191 ML-3 3.13.16 SC-28
214 Access to storage accounts with firewall and virtual network configurations should be restricted System & Communications Protection SC.3.191 ML-3 3.13.16 SC-28
215 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources System & Communications Protection SC.3.191 ML-3 3.13.16 SC-28
216 Unattached disks should be encrypted System & Communications Protection SC.3.191 ML-3 3.13.16 SC-28
217 Double encryption should be enabled on Azure Data Explorer System & Communications Protection SC.3.191 ML-3 3.13.16 SC-28
218 Microsoft Antimalware for Azure should be configured to automatically update protection signatures System & Information Integrity SI.1.210 ML-1 3.14.1 SI-2,SI-3,SI-5
219 Vulnerabilities in security configuration on your machines should be remediated System & Information Integrity SI.1.210 ML-1 3.14.1 SI-2,SI-3,SI-5
220 Ensure that 'HTTP Version' is the latest, if used to run the Function app System & Information Integrity SI.1.210 ML-1 3.14.1 SI-2,SI-3,SI-5
221 Python should be updated to the latest version for your function app System & Information Integrity SI.1.210 ML-1 3.14.1 SI-2,SI-3,SI-5
222 Ensure that 'HTTP Version' is the latest, if used to run the Web app System & Information Integrity SI.1.210 ML-1 3.14.1 SI-2,SI-3,SI-5
223 Microsoft Antimalware for Azure should be configured to automatically update protection signatures System & Information Integrity SI.1.211 ML-1 3.14.2 SI-2,SI-3,SI-5
224 Microsoft IaaSAntimalware extension should be deployed on Windows servers System & Information Integrity SI.1.211 ML-1 3.14.2 SI-2,SI-3,SI-5
225 Endpoint protection health issues should be resolved on your machines System & Information Integrity SI.1.211 ML-1 3.14.2 SI-2,SI-3,SI-5
226 Endpoint protection health failures should be remediated on virtual machine scale sets System & Information Integrity SI.1.211 ML-1 3.14.2 SI-2,SI-3,SI-5
227 Microsoft Antimalware for Azure should be configured to automatically update protection signatures System & Information Integrity SI.1.212 ML-1 3.14.4 SI-3
228 Microsoft Antimalware for Azure should be configured to automatically update protection signatures System & Information Integrity SI.1.213 ML-1 3.14.5 SI-3
229 Microsoft IaaSAntimalware extension should be deployed on Windows servers System & Information Integrity SI.1.213 ML-1 3.14.5 SI-3
230 Endpoint protection health issues should be resolved on your machines System & Information Integrity SI.1.213 ML-1 3.14.5 SI-3
231 Azure Defender for Key Vault should be enabled System & Information Integrity SI.1.213 ML-1 3.14.5 SI-3
232 Azure Defender for Kubernetes should be enabled System & Information Integrity SI.1.213 ML-1 3.14.5 SI-3
233 Flow logs should be configured for every network security group System & Information Integrity SI.2.216 ML-2 3.14.6 AU-2, AU-2(3), AU-6, SI-4, SI-4(4)
234 Virtual networks should be protected by Azure Firewall System & Information Integrity SI.2.216 ML-2 3.14.6 AU-2, AU-2(3), AU-6, SI-4, SI-4(4)
235 Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service System & Information Integrity SI.2.216 ML-2 3.14.6 AU-2, AU-2(3), AU-6, SI-4, SI-4(4)
236 Web Application Firewall (WAF) should be enabled for Application Gateway System & Information Integrity SI.2.216 ML-2 3.14.6 AU-2, AU-2(3), AU-6, SI-4, SI-4(4)
237 An activity log alert should exist for Delete SQL Server Firewall Rule System & Information Integrity SI.2.216 ML-2 3.14.6 AU-2, AU-2(3), AU-6, SI-4, SI-4(4)
238 An activity log alert should exist for Delete SQL Server Firewall Rule System & Information Integrity SI.2.217 ML-2 3.14.7 SI-4
239 An activity log alert should exist for the Delete Network Security Group Rule System & Information Integrity SI.2.217 ML-2 3.14.7 SI-4
240 An activity log alert should exist for Delete Network Security Solution System & Information Integrity SI.2.217 ML-2 3.14.7 SI-4
241 Activity log should be retained for at least one year System & Information Integrity SI.2.217 ML-2 3.14.7 SI-4
242 Azure Monitor should collect activity logs from all regions System & Information Integrity SI.2.217 ML-2 3.14.7 SI-4A1:F242