From 9ef52a896c12017fde7810436a46c6e490792cfd Mon Sep 17 00:00:00 2001 From: TJ Banasik <54327442+thbanasi@users.noreply.github.com> Date: Mon, 20 Sep 2021 15:38:11 -0400 Subject: [PATCH] CustomTables_Feed SecurityIncident InformationProtectionLogs_CL SecurityRecommendation CMMCPolicyMapping --- .../InformationProtectionLogs_CL.json | 122 +++++++++ .../CustomTables/SecurityIncident.json | 126 +++++++++ .../CustomTables/SecurityRecommendation.json | 82 ++++++ Sample Data/Feeds/CMMCPolicyMapping.csv | 242 ++++++++++++++++++ 4 files changed, 572 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SecurityIncident.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json create mode 100644 Sample Data/Feeds/CMMCPolicyMapping.csv diff --git a/.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json new file mode 100644 index 0000000000..f06776b0f9 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json @@ -0,0 +1,122 @@ +{ + "Name": "InformationProtectionLogs_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "TimeGenerated [UTC]", + "Type": "datetime" + }, + { + "Name": "TimeGenerated_s", + "Type": "datetime" + }, + { + "Name": "AadTenantId_g_g", + "Type": "string" + }, + { + "Name": "UserId_s_s", + "Type": "string" + }, + { + "Name": "Version_s_s", + "Type": "string" + }, + { + "Name": "Workload_s_s", + "Type": "string" + }, + { + "Name": "ProcessName_s_s", + "Type": "string" + }, + { + "Name": "ApplicationName_s_s", + "Type": "string" + }, + { + "Name": "Operation_s_s", + "Type": "string" + }, + { + "Name": "Platform_s_s", + "Type": "string" + }, + { + "Name": "LogId_g_g", + "Type": "string" + }, + { + "Name": "IPv4_s_s", + "Type": "string" + }, + { + "Name": "DeviceId_g", + "Type": "string" + }, + { + "Name": "AadTenantId_g", + "Type": "string" + }, + { + "Name": "UserId_s", + "Type": "string" + }, + { + "Name": "MachineName_s", + "Type": "string" + }, + { + "Name": "Version_s", + "Type": "string" + }, + { + "Name": "Workload_s", + "Type": "string" + }, + { + "Name": "ProcessName_s", + "Type": "string" + }, + { + "Name": "ApplicationName_s", + "Type": "string" + }, + { + "Name": "Operation_s", + "Type": "string" + }, + { + "Name": "Platform_s", + "Type": "string" + }, + { + "Name": "ApplicationId_g", + "Type": "string" + }, + { + "Name": "ProductVersion_s", + "Type": "string" + }, + { + "Name": "LogId_g", + "Type": "string" + }, + { + "Name": "IPv4_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + } + ] +} + diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SecurityIncident.json b/.script/tests/KqlvalidationsTests/CustomTables/SecurityIncident.json new file mode 100644 index 0000000000..973f0ab8c7 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SecurityIncident.json @@ -0,0 +1,126 @@ +{ + "Name": "SecurityIncident", + "Properties": [ + { + "Name": "AdditionalData", + "Type": "dynamic" + }, + { + "Name": "AlertIds", + "Type": "dynamic" + }, + { + "Name": "BookmarkIds", + "Type": "dynamic" + }, + { + "Name": "Classification", + "Type": "string" + }, + { + "Name": "ClassificationComment", + "Type": "string" + }, + { + "Name": "ClassificationReason", + "Type": "string" + }, + { + "Name": "ClosedTime", + "Type": "datetime" + }, + { + "Name": "Comments", + "Type": "dynamic" + }, + { + "Name": "CreatedTime", + "Type": "datetime" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "FirstActivityTime", + "Type": "datetime" + }, + { + "Name": "FirstModifiedTime", + "Type": "datetime" + }, + { + "Name": "IncidentName", + "Type": "string" + }, + { + "Name": "IncidentNumber", + "Type": "int" + }, + { + "Name": "IncidentUrl", + "Type": "string" + }, + { + "Name": "Labels", + "Type": "dynamic" + }, + { + "Name": "LastActivityTime", + "Type": "datetime" + }, + { + "Name": "LastModifiedTime", + "Type": "datetime" + }, + { + "Name": "ModifiedBy", + "Type": "string" + }, + { + "Name": "Owner", + "Type": "dynamic" + }, + { + "Name": "ProviderIncidentId", + "Type": "string" + }, + { + "Name": "ProviderName", + "Type": "string" + }, + { + "Name": "RelatedAnalyticRuleIds", + "Type": "dynamic" + }, + { + "Name": "Severity", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "Status", + "Type": "string" + }, + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Title", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + } + ] +} + diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json b/.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json new file mode 100644 index 0000000000..e828c0ca42 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json @@ -0,0 +1,82 @@ +{ + "Name": "SecurityRecommendation", + "Properties": [ + { + "Name": "AssessedResourceId", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "DeviceId", + "Type": "string" + }, + { + "Name": "DiscoveredTimeUTC", + "Type": "datetime" + }, + { + "Name": "FirstEvaluationDate", + "Type": "datetime" + }, + { + "Name": "IsSnapshot", + "Type": "bool" + }, + { + "Name": "PolicyDefinitionId", + "Type": "string" + }, + { + "Name": "ProviderName", + "Type": "string" + }, + { + "Name": "RecommendationAdditionalData", + "Type": "dynamic" + }, + { + "Name": "RecommendationDisplayName", + "Type": "string" + }, + { + "Name": "RecommendationId", + "Type": "string" + }, + { + "Name": "RecommendationName", + "Type": "string" + }, + { + "Name": "RecommendationSeverity", + "Type": "string" + }, + { + "Name": "RecommendationState", + "Type": "string" + }, + { + "Name": "ResolvedTimeUTC", + "Type": "datetime" + }, + { + "Name": "ResourceRegion", + "Type": "string" + }, + { + "Name": "StatusChangeDate", + "Type": "datetime" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + } + ] +} + diff --git a/Sample Data/Feeds/CMMCPolicyMapping.csv b/Sample Data/Feeds/CMMCPolicyMapping.csv new file mode 100644 index 0000000000..f5c20ee5e2 --- /dev/null +++ b/Sample Data/Feeds/CMMCPolicyMapping.csv @@ -0,0 +1,242 @@ +RecommendationName,ControlFamily,ControlNumber,MaturityLevel,800171Map,80053Map +Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17" +Storage account public access should be disallowed,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17" +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17" +Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17" +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.1.001,ML-1,3.1.1,"AC-2, AC-3, AC-17" +Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17" +Storage account public access should be disallowed,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17" +Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17" +Firewall should be enabled on Key Vault,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17" +Audit Linux machines that allow remote connections from accounts without passwords,Access Control,AC.1.002,ML-1,3.1.2,"AC-2, AC-3, AC-17" +RDP access from the Internet should be blocked,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)" +Adaptive network hardening recommendations should be applied on internet facing virtual machines,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)" +Virtual networks should be protected by Azure Firewall,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)" +SSH access from the Internet should be blocked,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)" +Internet-facing virtual machines should be protected with network security groups,Access Control,AC.1.003,ML-1,3.1.20,"AC-20, AC-20(1)" +Management ports of virtual machines should be protected with just-in-time network access control,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)" +Role-Based Access Control should be used on Kubernetes Services,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)" +External accounts with read permissions should be removed from your subscription,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)" +External accounts with write permissions should be removed from your subscription,Access Control,AC.2.007,ML-2,3.1.5,"AC-6, AC-6(1), AC-6(5)" +Windows machines should meet requirements for 'Security Options - User Account Control',Access Control,AC.2.008,ML-2,3.1.6,AC-6(2) +Windows machines should meet requirements for 'User Rights Assignment',Access Control,AC.2.008,ML-2,3.1.6,AC-6(2) +Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1) +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1) +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1) +Windows machines should meet requirements for 'Security Options - Network Security',Access Control,AC.2.013,ML-2,3.1.12,AC-17(1) +Audit Linux machines that allow remote connections from accounts without passwords,Access Control,AC.2.013,ML-2,3.1.12,AC-17(1) +RDP access from the Internet should be blocked,Access Control,AC.2.015,ML-2,3.1.14,AC-17(3) +Access to storage accounts with firewall and virtual network configurations should be restricted,Access Control,AC.2.016,ML-2,3.1.3,AC-4 +Storage account public access should be disallowed,Access Control,AC.2.016,ML-2,3.1.3,AC-4 +Windows machines should meet requirements for 'Security Options - Network Access',Access Control,AC.2.016,ML-2,3.1.3,AC-4 +RDP access from the Internet should be blocked,Access Control,AC.2.016,ML-2,3.1.3,AC-4 +Adaptive network hardening recommendations should be applied on internet facing virtual machines,Access Control,AC.2.016,ML-2,3.1.3,AC-4 +Audit Windows machines missing any of specified members in the Administrators group,Access Control,AC.3.017,ML-3,3.1.4,AC-5 +Audit Windows machines that have the specified members in the Administrators group,Access Control,AC.3.017,ML-3,3.1.4,AC-5 +A maximum of 3 owners should be designated for your subscription,Access Control,AC.3.017,ML-3,3.1.4,AC-5 +There should be more than one owner assigned to your subscription,Access Control,AC.3.017,ML-3,3.1.4,AC-5 +Windows machines should meet requirements for 'System Audit Policies - Privilege Use',Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)" +An activity log alert should exist for Delete SQL Server Firewall Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)" +An activity log alert should exist for the Delete Network Security Group Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)" +An activity log alert should exist for Delete Network Security Solution,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)" +An activity log alert should exist for the Delete Classic Network Security Group Rule,Access Control,AC.3.018,ML-3,3.1.7,"AC-6(9), AC-6(10)" +Guest Configuration extension should be installed on your machines,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4) +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4) +Windows machines should meet requirements for 'Security Options - User Account Control',Access Control,AC.3.021,ML-3,3.1.15,AC-17(4) +Windows machines should meet requirements for 'User Rights Assignment',Access Control,AC.3.021,ML-3,3.1.15,AC-17(4) +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Access Control,AC.3.021,ML-3,3.1.15,AC-17(4) +Audit diagnostic setting,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +An activity log alert should exist for Delete SQL Server Firewall Rule,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +An activity log alert should exist for the Delete Network Security Group Rule,Audit & Accountability,AU.2.041,ML-2,3.3.2,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +Audit diagnostic setting,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +An activity log alert should exist for Delete SQL Server Firewall Rule,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +An activity log alert should exist for the Delete Network Security Group Rule,Audit & Accountability,AU.2.042,ML-2,3.3.1,"AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12" +Audit diagnostic setting,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5 +Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5 +Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5 +Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5 +[Preview]: Log Analytics Agent should be enabled for listed virtual machine images,Audit & Accountability,AU.3.046,ML-3,3.3.4,AU-5 +Audit diagnostic setting,Audit & Accountability,AU.3.048,ML-3,,AU-6(4) +Virtual machines should be connected to a specified workspace,Audit & Accountability,AU.3.048,ML-3,,AU-6(4) +The Log Analytics agent should be installed on virtual machines,Audit & Accountability,AU.3.048,ML-3,,AU-6(4) +Diagnostic logs should be enabled in App Service,Audit & Accountability,AU.3.048,ML-3,,AU-6(4) +Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Audit & Accountability,AU.3.048,ML-3,,AU-6(4) +Audit diagnostic setting,Audit & Accountability,AU.3.047,ML-3,3.3.8,"AU-6(7), AU-9" +An activity log alert should exist for specific Policy operations,Audit & Accountability,AU.3.047,ML-3,3.3.8,"AU-6(7), AU-9" +Adaptive application controls for defining safe applications should be enabled on your machines,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2" +Vulnerabilities in your virtual machines should be remediated,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2" +Endpoint protection health issues should be resolved on your machines,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2" +Vulnerability assessment should be enabled on your SQL servers,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2" +An activity log alert should exist for Delete Security Solution,Security Assessment,CA.2.158,ML-2,3.12.1,"CA-2, CA-5, CA-7, PL-2" +Adaptive application controls for defining safe applications should be enabled on your machines,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2" +Vulnerabilities in your virtual machines should be remediated,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2" +Endpoint protection health issues should be resolved on your machines,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2" +Vulnerability assessment should be enabled on your SQL servers,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2" +An activity log alert should exist for Delete Security Solution,Security Assessment,CA.3.161,ML-3,3.12.3,"CA-2, CA-5, CA-7, PL-2" +Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.2.061,ML-2,3.4.1,"CM-2, CM-6, CM-8, CM-8(1)" +An activity log alert should exist for specific Policy operations,Configuration Management,CM.2.061,ML-2,3.4.1,"CM-2, CM-6, CM-8, CM-8(1)" +Windows machines should meet requirements for 'System Audit Policies - Privilege Use',Configuration Management,CM.2.062,ML-2,3.4.6,CM-7 +Role-Based Access Control should be used on Kubernetes Services,Configuration Management,CM.2.062,ML-2,3.4.6,CM-7 +Windows machines should meet requirements for 'Security Options - User Account Control',Configuration Management,CM.2.063,ML-2,3.4.9,CM-11 +Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11 +Allowlist rules in your adaptive application control policy should be updated,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11 +Security Center standard pricing tier should be selected,Configuration Management,CM.2.063,ML-2,3.4.9,CM-11 +Windows machines should meet requirements for 'Security Options - Network Security',Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)" +Firewall should be enabled on Key Vault,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)" +All network ports should be restricted on network security groups associated to your virtual machine,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)" +Virtual networks should be protected by Azure Firewall,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)" +Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Configuration Management,CM.2.064,ML-2,3.4.2,"CM-2, CM-6,CM-8,CM-8(1)" +Windows machines should meet requirements for 'System Audit Policies - Policy Change',Configuration Management,CM.2.065,ML-2,3.4.3,CM-3 +An activity log alert should exist for Delete SQL Server Firewall Rule,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3 +An activity log alert should exist for the Delete Network Security Group Rule,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3 +An activity log alert should exist for Delete Network Security Solution,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3 +Azure Monitor should collect activity logs from all regions,Configuration Management,CM.2.065,ML-2,3.4.3,CM-3 +Access to storage accounts with firewall and virtual network configurations should be restricted,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)" +Storage account public access should be disallowed,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)" +Non-internet-facing virtual machines should be protected with network security groups,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)" +Subnets should be associated with a network security group,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)" +Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.3.068,ML-3,3.4.7,"CM-7(1), CM-7(2)" +Adaptive application controls for defining safe applications should be enabled on your machines,Configuration Management,CM.3.069,ML-3,3.4.8,"CM-7(4), CM-7(5)" +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5" +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5" +Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5" +Audit Linux machines that have accounts without passwords,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5" +Audit Linux machines that do not have the passwd file permissions set to 0644,Identification & Authentication,IA.1.077,ML-1,3.5.2,"IA-2, IA-3, IA-5" +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1) +Audit Windows machines that do not restrict the minimum password length to 14 characters,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1) +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1) +Audit Windows machines that do not have the password complexity setting enabled,Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1) +Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.078,ML-2,3.5.7,IA-5(1) +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1) +Audit Windows machines that allow re-use of the previous 24 passwords,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1) +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1) +Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1) +Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,Identification & Authentication,IA.2.079,ML-2,3.5.8,IA-5(1) +Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1) +Audit Windows machines that do not store passwords using reversible encryption,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1) +Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1) +Windows machines should meet requirements for 'Security Options - Network Security',Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1) +Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,Identification & Authentication,IA.2.079,ML-2,3.5.10,IA-5(1) +MFA should be enabled on accounts with owner permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)" +MFA should be enabled on accounts with write permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)" +MFA should be enabled on accounts with read permissions on your subscription,Identification & Authentication,IA.3.083,ML-3,3.5.3,"IA-2(1), IA-2(2), IA-2(3)" +Function App should only be accessible over HTTPS,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)" +Web Application should only be accessible over HTTPS,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)" +MFA should be enabled on accounts with owner permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)" +MFA should be enabled on accounts with write permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)" +MFA should be enabled on accounts with read permissions on your subscription,Identification & Authentication,IA.3.084,ML-3,3.5.4,"IA-2(8),IA-2(9)" +Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7" +Subscriptions should have a contact email address for security issues,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7" +Email notification to subscription owner for high severity alerts should be enabled,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7" +Email notification for high severity alerts should be enabled,Incident Response,IR.2.092,ML-2,3.6.1,"IR-2, IR-4, IR-5, IR-6, IR-7" +Flow logs should be configured for every network security group,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6" +Firewall should be enabled on Key Vault,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6" +Endpoint protection health issues should be resolved on your machines,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6" +Virtual networks should be protected by Azure Firewall,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6" +Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Incident Response,IR.2.093,ML-2,,"AR-4, AU-13, IA-10, IR-4, IR-5, IR-6, PE-6, RA-6" +Audit virtual machines without disaster recovery configured,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)" +Azure Backup should be enabled for virtual machines,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)" +Long-term geo-redundant backup should be enabled for Azure SQL Databases,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)" +Geo-redundant backup should be enabled for Azure Database for PostgreSQL,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)" +Geo-redundant backup should be enabled for Azure Database for MySQL,Recovery,RE.2.137,ML-2,,"CP-9, CP-9(1)" +Audit virtual machines without disaster recovery configured,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)" +Azure Backup should be enabled for virtual machines,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)" +Long-term geo-redundant backup should be enabled for Azure SQL Databases,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)" +Geo-redundant backup should be enabled for Azure Database for PostgreSQL,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)" +Geo-redundant backup should be enabled for Azure Database for MySQL,Recovery,RE.3.139,ML-3,,"CP-9, CP-9(3), CP-9(5)" +Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.141,ML-2,3.11.1,RA-3 +Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.141,ML-2,3.11.1,RA-3 +Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.141,ML-2,3.11.1,RA-3 +Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Risk Management,RM.2.141,ML-2,3.11.1,RA-3 +Vulnerability assessment should be enabled on your SQL managed instances,Risk Management,RM.2.141,ML-2,3.11.1,RA-3 +Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)" +Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)" +Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)" +Azure Defender for SQL should be enabled for unprotected SQL Managed Instances,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)" +Vulnerability assessment should be enabled on your SQL managed instances,Risk Management,RM.2.142,ML-2,3.11.2,"RA-5, RA-5(5)" +Vulnerabilities in security configuration on your machines should be remediated,Risk Management,RM.2.143,ML-2,3.11.3,RA-5 +Vulnerabilities in your virtual machines should be remediated,Risk Management,RM.2.143,ML-2,3.11.3,RA-5 +Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.2.143,ML-2,3.11.3,RA-5 +Vulnerability assessment should be enabled on your SQL servers,Risk Management,RM.2.143,ML-2,3.11.3,RA-5 +Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys),Risk Management,RM.2.143,ML-2,3.11.3,RA-5 +Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20" +Azure Defender for Key Vault should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20" +Azure Defender for Kubernetes should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20" +Azure Defender for SQL servers on machines should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20" +Azure Defender for Azure SQL Database servers should be enabled,Risk Management,RM.3.144,ML-3,,"CA-2, PM-9, RA-3, SA-20" +Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8" +Storage account public access should be disallowed,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8" +Windows machines should meet requirements for 'Security Options - Network Access',System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8" +Windows machines should meet requirements for 'Security Options - Network Security',System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8" +Non-internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.1.175,ML-1,3.13.1,"SC-7, SA-8" +Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7 +Subnets should be associated with a network security group,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7 +Adaptive network hardening recommendations should be applied on internet facing virtual machines,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7 +All network ports should be restricted on network security groups associated to your virtual machine,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7 +Internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.1.176,ML-1,3.13.5,SC-7 +Management ports of virtual machines should be protected with just-in-time network access control,System & Communications Protection,SC.2.179,ML-2,, +[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13 +Storage accounts should have infrastructure encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13 +"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13 +Audit Windows machines that do not store passwords using reversible encryption,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13 +Unattached disks should be encrypted,System & Communications Protection,SC.3.177,ML-3,3.13.11,SC-13 +Subnets should be associated with a network security group,System & Communications Protection,SC.3.180,ML-3,3.13.2,"SC-7, SA-8" +Audit Windows machines that have the specified members in the Administrators group,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2 +External accounts with owner permissions should be removed from your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2 +A maximum of 3 owners should be designated for your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2 +An Azure Active Directory administrator should be provisioned for SQL servers,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2 +Deprecated accounts with owner permissions should be removed from your subscription,System & Communications Protection,SC.3.181,ML-3,3.13.3,SC-2 +Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5) +Storage account public access should be disallowed,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5) +Windows machines should meet requirements for 'Security Options - Network Access',System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5) +Windows machines should meet requirements for 'Security Options - Network Security',System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5) +Non-internet-facing virtual machines should be protected with network security groups,System & Communications Protection,SC.3.183,ML-3,3.13.6,SC-7(5) +Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)" +Function App should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)" +Secure transfer to storage accounts should be enabled,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)" +Web Application should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)" +API App should only be accessible over HTTPS,System & Communications Protection,SC.3.185,ML-3,3.13.8,"SC-8, SC-8(1)" +Key vaults should have purge protection enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12 +Firewall should be enabled on Key Vault,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12 +Key vaults should have soft delete enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12 +Azure Defender for Key Vault should be enabled,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12 +Keys using RSA cryptography should have a specified minimum key size,System & Communications Protection,SC.3.187,ML-3,3.13.10,SC-12 +Function App should only be accessible over HTTPS,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23 +Web Application should only be accessible over HTTPS,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23 +MFA should be enabled on accounts with owner permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23 +MFA should be enabled on accounts with write permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23 +MFA should be enabled on accounts with read permissions on your subscription,System & Communications Protection,SC.3.190,ML-3,3.13.15,SC-23 +Storage accounts should have infrastructure encryption,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28 +Access to storage accounts with firewall and virtual network configurations should be restricted,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28 +"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28 +Unattached disks should be encrypted,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28 +Double encryption should be enabled on Azure Data Explorer,System & Communications Protection,SC.3.191,ML-3,3.13.16,SC-28 +Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5" +Vulnerabilities in security configuration on your machines should be remediated,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5" +"Ensure that 'HTTP Version' is the latest, if used to run the Function app",System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5" +Python should be updated to the latest version for your function app,System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5" +"Ensure that 'HTTP Version' is the latest, if used to run the Web app",System & Information Integrity,SI.1.210,ML-1,3.14.1,"SI-2,SI-3,SI-5" +Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5" +Microsoft IaaSAntimalware extension should be deployed on Windows servers,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5" +Endpoint protection health issues should be resolved on your machines,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5" +Endpoint protection health failures should be remediated on virtual machine scale sets,System & Information Integrity,SI.1.211,ML-1,3.14.2,"SI-2,SI-3,SI-5" +Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.212,ML-1,3.14.4,SI-3 +Microsoft Antimalware for Azure should be configured to automatically update protection signatures,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3 +Microsoft IaaSAntimalware extension should be deployed on Windows servers,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3 +Endpoint protection health issues should be resolved on your machines,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3 +Azure Defender for Key Vault should be enabled,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3 +Azure Defender for Kubernetes should be enabled,System & Information Integrity,SI.1.213,ML-1,3.14.5,SI-3 +Flow logs should be configured for every network security group,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)" +Virtual networks should be protected by Azure Firewall,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)" +Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)" +Web Application Firewall (WAF) should be enabled for Application Gateway,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)" +An activity log alert should exist for Delete SQL Server Firewall Rule,System & Information Integrity,SI.2.216,ML-2,3.14.6,"AU-2, AU-2(3), AU-6, SI-4, SI-4(4)" +An activity log alert should exist for Delete SQL Server Firewall Rule,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4 +An activity log alert should exist for the Delete Network Security Group Rule,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4 +An activity log alert should exist for Delete Network Security Solution,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4 +Activity log should be retained for at least one year,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4 +Azure Monitor should collect activity logs from all regions,System & Information Integrity,SI.2.217,ML-2,3.14.7,SI-4A1:F242