| Description |
Service |
Rule |
| Ensure Virtual Machines are utilizing Managed Disks |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines |
Compute
|
VirtualMachine should have UnmanagedDisks len() eq 0 |
| Ensure that 'OMS Agent' is enabled for the 'addon profile |
OMS Agent to be enabled in the addon profile |
Kubernetes
|
AKSCluster should have AddonProfiles . OMSAgent . Enabled eq true |
| Ensure that Microsoft Defender for Container Registries is set to 'On' |
Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForContainerRegistries |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Kubernetes is set to 'On' |
Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKubernetes |
| Azure Defender protection: Ensure that Microsoft Defender for Servers is set to 'On' |
Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForServer |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure that 'site authentication' is enabled on 'Function app' |
Check for authentication is enabled on Function app |
Function
|
FunctionApp should have every AuthSettings with [ Enabled eq true ] |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Unattached disks' are encrypted with CMK |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key |
Compute
|
Disk where DiskAttachment eq "Unattached" should have Encrypted |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Description |
Service |
Rule |
| Ensure that 'non-public access' to 'CosmosDB' |
Ensure that 'non-public access' to 'CosmosDB' |
Database
|
CosmosDB should not have IpRules with [ value isPublic() ] |
| SQL Server protection: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Disable access from Azure services to PostgreSQL Database Server |
SQL
|
PostgreSQLServer should not have firewall_rules with [properties.startIpAddress eq "0.0.0.0" and properties.endIpAddress eq "0.0.0.0"] |
| Ensure storage for critical data are encrypted with Customer Managed Key |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
Storage
|
StorageAccount should have EncryptionType eq "Microsoft.Keyvault" |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected |
This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. |
SecurityCenter
|
SecurityCenterPolicy should have MCASIntegratedWithSecurityCenter |
| Ensure that 'OS and Data' disks are encrypted with CMK |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE) |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk and DiskEncryptionStatus . DataDisk |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| SQL Server protection: Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL server |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' |
SQL
|
SQLServer should have VulnerabilityAssessment.EmailSubscriptionAdmins |
| Ensure the storage container storing the activity logs is not publicly accessible |
The storage account container containing the activity log export should not be publicly accessible |
Monitor
|
ActivityLogProfile should have StorageContainerPublicAccess eq "None" |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Ensure default network access rule for Storage Accounts is set to deny |
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed |
Storage
|
StorageAccount should not have ACL.DefaultAction eq "Allow" |
| Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
Storage
|
StorageAccount should have ACL.Bypass has ( "AzureServices") |
| Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Databases |
SQL Database Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLDatabase should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure audit profile captures all the activities |
The log profile should be configured to export all activities from the control/management |
Monitor
|
ActivityLogProfile should have Categories has ("Write") and Categories has ("Delete") and Categories has ("Action") |
| Ensure the log profile captures activity logs for all regions including global |
Configure the log profile to export activities from all Azure supported regions/locations including global. |
Monitor
|
ActivityLogProfile should have AllRegion eq true |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Azure Defender protection: Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForAzureSQLDataBaseServers |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Key Vault is set to 'On' |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKeyVault |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForSQLServersOnMachine |
| Azure Defender protection: Ensure that Microsoft Defender for Storage is set to 'On' |
Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForStorage |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Databases |
SQL Database Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLDatabase should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Ensure that storage account access keys are periodically regenerated |
Regenerate storage account access keys every 90 days |
Storage
|
StorageAccount should have KeyRegenerated |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure the key vault is recoverable |
It is recommended the key vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
KeyVault
|
KeyVault should have EnableSoftDelete and EnablePurgeProtection |
| Description |
Service |
Rule |
| Ensure LoadBalancer doesnot have public ip |
LoadBalancer frontend ip config should not have public IPs |
Network
|
LoadBalancer should have public_ip len() eq 0 |
| Ensure that UDP Services are restricted from the Internet |
Disable Internet exposed UDP ports on network security groups |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP") and Destination . PortRange with [ ( FromPort lte 22 and ToPort gte 22 ) or ( FromPort lte 53 and ToPort gte 53 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 80 and ToPort gte 80 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 161 and ToPort gte 161 ) or ( FromPort lte 389 and ToPort gte 389 ) or ( FromPort lte 443 and ToPort gte 443 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1900 and ToPort gte 1900 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 3389 and ToPort gte 3389 ) or ( FromPort lte 5432 and ToPort gte 5432 ) or ( FromPort lte 27019 and ToPort gte 27017 ) ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server |
Enable log_checkpoints on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_checkpoints like "(?i)on" |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Do not allow default Network Security Groups |
Check for Network Security Groups with only default rules, which by default allows all outbound Internet traffic. |
Network
|
NetworkSecurityGroup should have SecurityRules len() gt 0 and no SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] and SecurityRules with [ Access eq "Deny" and Direction eq "Outbound" and ( ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Destination . Type eq "Any" ) or ( Destination . Type eq "IP Addresses" and Destination . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) or ( Destination . Type eq "Service Tag" and Destination . ServiceTag eq "Internet" ) ) ) ] |
| Ensure that all inbound traffic from the Internet is restricted |
Check Network Security Groups for rules allowing any inbound traffic from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and ( Source . Addresses with [ Prefix isPublic() or Prefix in ( "/0", "/0") ] ) ) ) ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Ensure that relational database access is restricted from the Internet |
Ensure that common SQL Database (SQLServer, mySQL, Oracle, Postgres) ports are not allowed inbound access from the internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 5432 and ToPort gte 5432 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that inbound access from the Internet is restricted |
Make sure Network Security Groups do not allow any inbound access from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that Network Security Group Flow Log retention period is greater than 90 days |
Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. |
Network
|
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled |
| Ensure that clear text protocols from the Internet are restricted |
Check Network Security Groups for inbound access of clear-text protocols (telnet, SMTP, POP, IMAP, and SNMP) from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 23 and ToPort gte 23 ) or ( FromPort lte 25 and ToPort gte 25 ) or ( FromPort lte 110 and ToPort gte 110 ) or ( FromPort lte 143 and ToPort gte 143 ) or ( FromPort lte 162 and ToPort gte 161 ) ] ) ) or ( Protocol in ( "*" , "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 162 and ToPort gte 161 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that commonly-attacked ports access are restricted from the Internet |
Prevent inbound access from the Internet to commonly attacked ports (TCP 0, 19, 135-139, 445, 1080, 5900) and (UDP 67, 520, 547, 1900). |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 0 and ToPort gte 0 ) or ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 1080 and ToPort gte 1080 ) or ( FromPort lte 5800 and ToPort gte 5800 ) or ( FromPort lte 5900 and ToPort gte 5900) ] ) ) or ( Protocol in ( "*", "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1900 and ToPort gte 1900 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] |
| Ensure that FTP access is restricted from the Internet |
Check Network Security Groups for FTP access from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ ( FromPort lte 21 and ToPort gte 20 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Prevent inbound traffic from the Internet that has spoofed or invalid src IP addresses |
Prevent any inbound traffic from the internet that has unroutable, reserved, or invalid source IP addresses. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.2.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/25", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", "255.255.255.255/32", "0.0.0.0/0" ) ] ) ) ] |
| Description |
Service |
Rule |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Databases |
SQL Database Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLDatabase should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Databases |
SQL Database Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLDatabase should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure that Network Security Group Flow Log retention period is greater than 90 days |
Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. |
Network
|
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled |
| Ensure that storage account access keys are periodically regenerated |
Regenerate storage account access keys every 90 days |
Storage
|
StorageAccount should have KeyRegenerated |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that storage account access keys are periodically regenerated |
Regenerate storage account access keys every 90 days |
Storage
|
StorageAccount should have KeyRegenerated |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Ensure default network access rule for Storage Accounts is set to deny |
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed |
Storage
|
StorageAccount should not have ACL.DefaultAction eq "Allow" |
| Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
Storage
|
StorageAccount should have ACL.Bypass has ( "AzureServices") |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that AuditActionGroups in auditing policy for a SQL server is set properly |
Configure the AuditActionGroups property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server |
SQL
|
SQLServer should have AuditPolicy . AuditActionGroup has ("SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP", "BATCH_COMPLETED_GROUP") |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure SQL server's TDE protector is encrypted with Customer-managed key |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector increased security with an HSM-backed external service and promotion of separation of duties. |
SQL
|
SQLServer should have TDEProtector.kind eq "azurekeyvault" and TDEProtector.serverKeyType eq "AzureKeyVault" and TDEProtector.uri |
| Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Enable SSL connection on MYSQL Servers. |
SQL
|
MYSQLServer should have sslEnforcement eq "Enabled" |
| Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server |
Enable log_checkpoints on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_checkpoints like "(?i)on" |
| Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Enable SSL connection on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have sslEnforcement eq "Enabled" |
| Ensure server parameter log_connections is set to ON for PostgreSQL Database Server |
Enable log_connections on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_connections like "(?i)on" |
| Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server |
Enable log_disconnections on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_disconnections like "(?i)on" |
| Ensure server parameter log_duration is set to ON for PostgreSQL Database Server |
Enable log_duration on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_duration like "(?i)on" |
| Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server |
Enable connection_throttling on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have connection_throttling like "(?i)on" |
| Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
Enable log_retention_days on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_retention_days gte 4 |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure audit profile captures all the activities |
The log profile should be configured to export all activities from the control/management |
Monitor
|
ActivityLogProfile should have Categories has ("Write") and Categories has ("Delete") and Categories has ("Action") |
| Ensure the log profile captures activity logs for all regions including global |
Configure the log profile to export activities from all Azure supported regions/locations including global. |
Monitor
|
ActivityLogProfile should have AllRegion eq true |
| Ensure the storage account containing the container with activity logs is encrypted with BYOK |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
Monitor
|
ActivityLogProfile should have StorageAccount.EncryptionType eq "Microsoft.Keyvault" and StorageAccount.KeyVaultUri |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Ensure that Network Security Group Flow Log retention period is greater than 90 days |
Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. |
Network
|
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Ensure that 'Unattached disks' are encrypted with CMK |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key |
Compute
|
Disk where DiskAttachment eq "Unattached" should have Encrypted |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Enable role-based access control (RBAC) within Azure Kubernetes Services |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
Kubernetes
|
AKSCluster should have EnableRBAC |
| Ensure App Service Authentication is set on Azure App Service |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
Function
|
FunctionApp should have AuthSettings with [ Enabled and UnauthenticatedClientAction neq "AllowAnonymous" ] |
| Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
Function
|
FunctionApp should have HttpsOnly |
| Ensure web app is using the latest version of TLS encryption |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
Function
|
FunctionApp should have Configurations with [ MinTLSVersion eq "1.2" ] |
| Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
Function
|
FunctionApp should have ClientCertEnabled |
| Ensure that Register with Azure Active Directory is enabled on App Service |
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. |
Function
|
FunctionApp should have ADRegistered |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Ensure that Microsoft Defender for Container Registries is set to 'On' |
Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForContainerRegistries |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForSQLServersOnMachine |
| Azure Defender protection: Ensure that Microsoft Defender for App Service is set to 'On' |
Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForAppService |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Key Vault is set to 'On' |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKeyVault |
| Azure Defender protection: Ensure that Microsoft Defender for Servers is set to 'On' |
Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForServer |
| Azure Defender protection: Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForAzureSQLDataBaseServers |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Kubernetes is set to 'On' |
Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKubernetes |
| Azure Defender protection: Ensure that Microsoft Defender for Storage is set to 'On' |
Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForStorage |
| Security Center protection: Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected |
This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. |
SecurityCenter
|
SecurityCenterPolicy should have WDATPIntegratedWithSecurityCenter |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected |
This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. |
SecurityCenter
|
SecurityCenterPolicy should have MCASIntegratedWithSecurityCenter |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Security Center protection: Ensure that 'Notify about alerts with the following severity' is set to 'High' |
Enables emailing security alerts to the subscription owner or other designated security contact |
SecurityCenter
|
SecurityCenterPolicy should have AlertNotificationMinimalSeverity eq "High" |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Ensure storage for critical data are encrypted with Customer Managed Key |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
Storage
|
StorageAccount should have EncryptionType eq "Microsoft.Keyvault" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| SQL Server protection: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases |
SQL
|
SQLServer should have VulnerabilityAssessment . StorageAccount neq "" |
| SQL Server protection: Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server |
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases |
SQL
|
SQLServer should have VulnerabilityAssessment.RecurringScansState |
| SQL Server protection: Ensure that VA setting 'Send scan reports to' is configured for a SQL server |
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers |
SQL
|
SQLServer should have VulnerabilityAssessment.NotificationEmails len() gt 0 |
| SQL Server protection: Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL server |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' |
SQL
|
SQLServer should have VulnerabilityAssessment.EmailSubscriptionAdmins |
| SQL Server protection: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Disable access from Azure services to PostgreSQL Database Server |
SQL
|
PostgreSQLServer should not have firewall_rules with [properties.startIpAddress eq "0.0.0.0" and properties.endIpAddress eq "0.0.0.0"] |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure Diagnostic Setting captures appropriate categories |
The diagnostic setting should be configured to log the appropriate activities from the control/management plane |
Monitor
|
Subscription should have DiagnosticSettings with [ Logs with [ Category eq "Administrative" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Alert" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Policy" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Security" and Enabled ] ] |
| Ensure the storage container storing the activity logs is not publicly accessible |
The storage account container containing the activity log export should not be publicly accessible |
Monitor
|
ActivityLogProfile should have StorageContainerPublicAccess eq "None" |
| Ensure that Activity Log Alert exists for Delete Policy Assignment |
Create an activity log alert for the Delete Policy Assignment event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "Microsoft.Authorization/policyAssignments/delete" ] ] |
| Ensure that UDP Services are restricted from the Internet |
Disable Internet exposed UDP ports on network security groups |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP") and Destination . PortRange with [ ( FromPort lte 22 and ToPort gte 22 ) or ( FromPort lte 53 and ToPort gte 53 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 80 and ToPort gte 80 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 161 and ToPort gte 161 ) or ( FromPort lte 389 and ToPort gte 389 ) or ( FromPort lte 443 and ToPort gte 443 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1900 and ToPort gte 1900 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 3389 and ToPort gte 3389 ) or ( FromPort lte 5432 and ToPort gte 5432 ) or ( FromPort lte 27019 and ToPort gte 27017 ) ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure Virtual Machines are utilizing Managed Disks |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines |
Compute
|
VirtualMachine should have UnmanagedDisks len() eq 0 |
| Ensure that 'OS and Data' disks are encrypted with CMK |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE) |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk and DiskEncryptionStatus . DataDisk |
| Ensure soft delete is enabled for Azure Storage |
Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted |
Storage
|
StorageAccount should have SoftDelete . Enabled |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that storage account access keys are periodically regenerated |
Regenerate storage account access keys every 90 days |
Storage
|
StorageAccount should have KeyRegenerated |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Ensure default network access rule for Storage Accounts is set to deny |
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed |
Storage
|
StorageAccount should not have ACL.DefaultAction eq "Allow" |
| Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
Storage
|
StorageAccount should have ACL.Bypass has ( "AzureServices") |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Enable SSL connection on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have sslEnforcement eq "Enabled" |
| Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Enable SSL connection on MYSQL Servers. |
SQL
|
MYSQLServer should have sslEnforcement eq "Enabled" |
| Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server |
Enable log_checkpoints on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_checkpoints like "(?i)on" |
| Ensure server parameter log_connections is set to ON for PostgreSQL Database Server |
Enable log_connections on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_connections like "(?i)on" |
| Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server |
Enable log_disconnections on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_disconnections like "(?i)on" |
| Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server |
Enable connection_throttling on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have connection_throttling like "(?i)on" |
| Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
Enable log_retention_days on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_retention_days gte 4 |
| Ensure SQL server's TDE protector is encrypted with Customer-managed key |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector increased security with an HSM-backed external service and promotion of separation of duties. |
SQL
|
SQLServer should have TDEProtector.kind eq "azurekeyvault" and TDEProtector.serverKeyType eq "AzureKeyVault" and TDEProtector.uri |
| Ensure the storage account containing the container with activity logs is encrypted with BYOK |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
Monitor
|
ActivityLogProfile should have StorageAccount.EncryptionType eq "Microsoft.Keyvault" and StorageAccount.KeyVaultUri |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Ensure that Network Security Group Flow Log retention period is greater than 90 days |
Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. |
Network
|
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Ensure that 'Unattached disks' are encrypted with CMK |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key |
Compute
|
Disk where DiskAttachment eq "Unattached" should have Encrypted |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure the key vault is recoverable |
It is recommended the key vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
KeyVault
|
KeyVault should have EnableSoftDelete and EnablePurgeProtection |
| Enable role-based access control (RBAC) within Azure Kubernetes Services |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
Kubernetes
|
AKSCluster should have EnableRBAC |
| Ensure App Service Authentication is set on Azure App Service |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
Function
|
FunctionApp should have AuthSettings with [ Enabled and UnauthenticatedClientAction neq "AllowAnonymous" ] |
| Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
Function
|
FunctionApp should have HttpsOnly |
| Ensure web app is using the latest version of TLS encryption |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
Function
|
FunctionApp should have Configurations with [ MinTLSVersion eq "1.2" ] |
| Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
Function
|
FunctionApp should have ClientCertEnabled |
| Ensure that Register with Azure Active Directory is enabled on App Service |
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. |
Function
|
FunctionApp should have ADRegistered |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Azure Defender protection: Ensure that Microsoft Defender for Servers is set to 'On' |
Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForServer |
| Azure Defender protection: Ensure that Microsoft Defender for App Service is set to 'On' |
Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForAppService |
| Azure Defender protection: Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForAzureSQLDataBaseServers |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForSQLServersOnMachine |
| Azure Defender protection: Ensure that Microsoft Defender for Storage is set to 'On' |
Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
SecurityCenter
|
AzureDefender should have AzureDefenderForStorage |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Kubernetes is set to 'On' |
Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKubernetes |
| Ensure that Microsoft Defender for Container Registries is set to 'On' |
Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForContainerRegistries |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Key Vault is set to 'On' |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
SecurityCenter
|
AzureDefender should have AzureDefenderForKeyVault |
| Security Center protection: Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected |
This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. |
SecurityCenter
|
SecurityCenterPolicy should have WDATPIntegratedWithSecurityCenter |
| Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected |
This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. |
SecurityCenter
|
SecurityCenterPolicy should have MCASIntegratedWithSecurityCenter |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Security Center protection: Ensure that 'Notify about alerts with the following severity' is set to 'High' |
Enables emailing security alerts to the subscription owner or other designated security contact |
SecurityCenter
|
SecurityCenterPolicy should have AlertNotificationMinimalSeverity eq "High" |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that storage account access keys are periodically regenerated |
Regenerate storage account access keys every 90 days |
Storage
|
StorageAccount should have KeyRegenerated |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Ensure default network access rule for Storage Accounts is set to deny |
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed |
Storage
|
StorageAccount should not have ACL.DefaultAction eq "Allow" |
| Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
Storage
|
StorageAccount should have ACL.Bypass has ( "AzureServices") |
| Ensure soft delete is enabled for Azure Storage |
Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted |
Storage
|
StorageAccount should have SoftDelete . Enabled |
| Ensure storage for critical data are encrypted with Customer Managed Key |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
Storage
|
StorageAccount should have EncryptionType eq "Microsoft.Keyvault" |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| SQL Server protection: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases |
SQL
|
SQLServer should have VulnerabilityAssessment . StorageAccount neq "" |
| SQL Server protection: Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server |
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases |
SQL
|
SQLServer should have VulnerabilityAssessment.RecurringScansState |
| SQL Server protection: Ensure that VA setting 'Send scan reports to' is configured for a SQL server |
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers |
SQL
|
SQLServer should have VulnerabilityAssessment.NotificationEmails len() gt 0 |
| SQL Server protection: Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL server |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' |
SQL
|
SQLServer should have VulnerabilityAssessment.EmailSubscriptionAdmins |
| Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Enable SSL connection on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have sslEnforcement eq "Enabled" |
| Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Enable SSL connection on MYSQL Servers. |
SQL
|
MYSQLServer should have sslEnforcement eq "Enabled" |
| Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server |
Enable log_checkpoints on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_checkpoints like "(?i)on" |
| Ensure server parameter log_connections is set to ON for PostgreSQL Database Server |
Enable log_connections on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have log_connections like "(?i)on" |
| Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server |
Enable log_disconnections on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_disconnections like "(?i)on" |
| Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server |
Enable connection_throttling on PostgreSQL Servers |
SQL
|
PostgreSQLServer should have connection_throttling like "(?i)on" |
| Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
Enable log_retention_days on PostgreSQL Servers. |
SQL
|
PostgreSQLServer should have log_retention_days gte 4 |
| SQL Server protection: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Disable access from Azure services to PostgreSQL Database Server |
SQL
|
PostgreSQLServer should not have firewall_rules with [properties.startIpAddress eq "0.0.0.0" and properties.endIpAddress eq "0.0.0.0"] |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure SQL server's TDE protector is encrypted with Customer-managed key |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector increased security with an HSM-backed external service and promotion of separation of duties. |
SQL
|
SQLServer should have TDEProtector.kind eq "azurekeyvault" and TDEProtector.serverKeyType eq "AzureKeyVault" and TDEProtector.uri |
| Ensure Diagnostic Setting captures appropriate categories |
The diagnostic setting should be configured to log the appropriate activities from the control/management plane |
Monitor
|
Subscription should have DiagnosticSettings with [ Logs with [ Category eq "Administrative" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Alert" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Policy" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Security" and Enabled ] ] |
| Ensure the storage container storing the activity logs is not publicly accessible |
The storage account container containing the activity log export should not be publicly accessible |
Monitor
|
ActivityLogProfile should have StorageContainerPublicAccess eq "None" |
| Ensure the storage account containing the container with activity logs is encrypted with BYOK |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
Monitor
|
ActivityLogProfile should have StorageAccount.EncryptionType eq "Microsoft.Keyvault" and StorageAccount.KeyVaultUri |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Policy Assignment |
Create an activity log alert for the Delete Policy Assignment event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "Microsoft.Authorization/policyAssignments/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Ensure that Network Security Group Flow Log retention period is greater than 90 days |
Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. |
Network
|
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Ensure that UDP Services are restricted from the Internet |
Disable Internet exposed UDP ports on network security groups |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP") and Destination . PortRange with [ ( FromPort lte 22 and ToPort gte 22 ) or ( FromPort lte 53 and ToPort gte 53 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 80 and ToPort gte 80 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 161 and ToPort gte 161 ) or ( FromPort lte 389 and ToPort gte 389 ) or ( FromPort lte 443 and ToPort gte 443 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1900 and ToPort gte 1900 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 3389 and ToPort gte 3389 ) or ( FromPort lte 5432 and ToPort gte 5432 ) or ( FromPort lte 27019 and ToPort gte 27017 ) ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure Virtual Machines are utilizing Managed Disks |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines |
Compute
|
VirtualMachine should have UnmanagedDisks len() eq 0 |
| Ensure that 'OS and Data' disks are encrypted with CMK |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE) |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk and DiskEncryptionStatus . DataDisk |
| Ensure that 'Unattached disks' are encrypted with CMK |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key |
Compute
|
Disk where DiskAttachment eq "Unattached" should have Encrypted |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure the key vault is recoverable |
It is recommended the key vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
KeyVault
|
KeyVault should have EnableSoftDelete and EnablePurgeProtection |
| Enable role-based access control (RBAC) within Azure Kubernetes Services |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
Kubernetes
|
AKSCluster should have EnableRBAC |
| Ensure App Service Authentication is set on Azure App Service |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
Function
|
FunctionApp should have AuthSettings with [ Enabled and UnauthenticatedClientAction neq "AllowAnonymous" ] |
| Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
Function
|
FunctionApp should have HttpsOnly |
| Ensure web app is using the latest version of TLS encryption |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
Function
|
FunctionApp should have Configurations with [ MinTLSVersion eq "1.2" ] |
| Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
Function
|
FunctionApp should have ClientCertEnabled |
| Ensure that Register with Azure Active Directory is enabled on App Service |
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. |
Function
|
FunctionApp should have ADRegistered |
| Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App |
Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |
Function
|
FunctionApp should have Configurations with [ HTTP20Enabled ] |
| Ensure the 'Minimum TLS version' is set to 'Version 1.2' |
Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. |
Function
|
StorageAccount should have MinimumTlsVersion eq "TLS1_2" |
| Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
Enable encryption at rest for PostgreSQL Databases. This ensures another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. |
SQL
|
PostgreSQLServer should have infrastructureEncryption eq "Enabled" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Description |
Service |
Rule |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Description |
Service |
Rule |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Description |
Service |
Rule |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Description |
Service |
Rule |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Description |
Service |
Rule |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure that inbound access from the Internet is restricted |
Make sure Network Security Groups do not allow any inbound access from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Do not allow default Network Security Groups |
Check for Network Security Groups with only default rules, which by default allows all outbound Internet traffic. |
Network
|
NetworkSecurityGroup should have SecurityRules len() gt 0 and no SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] and SecurityRules with [ Access eq "Deny" and Direction eq "Outbound" and ( ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Destination . Type eq "Any" ) or ( Destination . Type eq "IP Addresses" and Destination . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) or ( Destination . Type eq "Service Tag" and Destination . ServiceTag eq "Internet" ) ) ) ] |
| Ensure that relational database access is restricted from the Internet |
Ensure that common SQL Database (SQLServer, mySQL, Oracle, Postgres) ports are not allowed inbound access from the internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 5432 and ToPort gte 5432 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that FTP access is restricted from the Internet |
Check Network Security Groups for FTP access from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ ( FromPort lte 21 and ToPort gte 20 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that clear text protocols from the Internet are restricted |
Check Network Security Groups for inbound access of clear-text protocols (telnet, SMTP, POP, IMAP, and SNMP) from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 23 and ToPort gte 23 ) or ( FromPort lte 25 and ToPort gte 25 ) or ( FromPort lte 110 and ToPort gte 110 ) or ( FromPort lte 143 and ToPort gte 143 ) or ( FromPort lte 162 and ToPort gte 161 ) ] ) ) or ( Protocol in ( "*" , "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 162 and ToPort gte 161 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] |
| Ensure that commonly-attacked ports access are restricted from the Internet |
Prevent inbound access from the Internet to commonly attacked ports (TCP 0, 19, 135-139, 445, 1080, 5900) and (UDP 67, 520, 547, 1900). |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 0 and ToPort gte 0 ) or ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 1080 and ToPort gte 1080 ) or ( FromPort lte 5800 and ToPort gte 5800 ) or ( FromPort lte 5900 and ToPort gte 5900) ] ) ) or ( Protocol in ( "*", "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1900 and ToPort gte 1900 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Prevent inbound traffic from the Internet that has spoofed or invalid src IP addresses |
Prevent any inbound traffic from the internet that has unroutable, reserved, or invalid source IP addresses. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.2.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/25", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", "255.255.255.255/32", "0.0.0.0/0" ) ] ) ) ] |
| Ensure that all inbound traffic from the Internet is restricted |
Check Network Security Groups for rules allowing any inbound traffic from the Internet. |
Network
|
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and ( Source . Addresses with [ Prefix isPublic() or Prefix in ( "/0", "/0") ] ) ) ) ] |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Databases |
SQL Database Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLDatabase should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Ensure that Data encryption is set to On on a SQL Database |
Enable Transparent Data Encryption on every SQL Database |
SQL
|
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled" |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Ensure that the expiry date is set on all Keys |
Ensure that all Keys in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Keys with [ Expires eq False ] |
| Ensure that the expiry date is set on all Secrets |
Ensure that all Secrets in Azure Key Vault have an expiry time set. |
KeyVault
|
KeyVault should not have Secrets with [ Expires eq False ] |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Description |
Service |
Rule |
| Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Audit Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 ) |
| Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers |
SQL Server Threat Detection Retention should be configured to be greater than 90 days. |
SQL
|
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 ) |
| Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' |
Enable Endpoint protection recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' |
Enable Disk encryption recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Storage Encryption' is set to 'On' |
Enable Storage Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' |
Enable SQL Encryption recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Secure transfer required' is set to 'Enabled' |
Enable data encryption is transit. |
Storage
|
StorageAccount should have EnableHttpsTrafficOnly |
| Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
Enable data encryption at rest for blobs. |
Storage
|
StorageAccount should have BlobEncryptionEnabled |
| Ensure that 'Storage service encryption' is set to Enabled for File Service |
Enable data encryption at rest for file service. |
Storage
|
StorageAccount should have FileEncryptionEnabled |
| Data-at-rest is protected: Ensure that 'OS disk' are encrypted |
Ensure that OS disks (boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . OSDisk |
| Ensure that 'Data disks' are encrypted |
Ensure that Data disks (non-boot volumes) are encrypted, where possible |
Compute
|
VirtualMachine should have DiskEncryptionStatus . DataDisk |
| Identities and credentials: Ensure that there are no guest users |
Do not add guest users if not needed. |
AAD
|
User should not have Type eq "Guest" |
| Identities and credentials: Ensure that no custom subscription owner roles are created |
Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. |
Auth
|
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] ) |
| Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers |
Use Azure Active Directory Authentication for authentication with SQL Database. |
SQL
|
SQLServer should have ADAdmin . Status |
| Ensure that a Log Profile exists |
Enable log profile for exporting activity logs. |
Monitor
|
Azure should have ActivityLogProfile len () > 0 |
| Ensure that Activity Log Retention is set 365 days or greater |
Ensure Activity Log Retention is set for 365 days or greater |
Monitor
|
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0) |
| Ensure that Activity Log Alert exists for Create Policy Assignment |
Create an activity log alert for the Create Policy Assignment event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Create an activity log alert for Create or Update Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Network Security Group |
Create an activity log alert for Delete Network Security Group event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Create an activity log alert for the Create or Update Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ] |
| Ensure that activity log alert exists for the Delete Network Security Group Rule |
Create an activity log alert for the Delete Network Security Group Rule event |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update Security Solution |
Create an activity log alert for the Create or Update Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ] |
| Ensure that Activity Log Alert exists for Delete Security Solution |
Create an activity log alert for the Delete Security Solution event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ] |
| Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ] |
| Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ] |
| Ensure that Activity Log Alert exists for Update Security Policy |
Create an activity log alert for the Update Security Policy event. |
Monitor
|
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ] |
| Ensure that logging for Azure KeyVault is 'Enabled' |
Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. |
KeyVault
|
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ] |
| Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' |
Enable Vulnerability assessment recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" ) |
| Vulnerability management plan: Ensure that VM agent is installed |
Install VM agent on Virtual Machines |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ] |
| Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' |
Enable Network security groups recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' |
Enable Web application firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' |
Enable Next generation firewall recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' |
Enable JIT Network Access for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' |
Enable adaptive application controls. |
SecurityCenter
|
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" ) |
| Ensure that RDP access is restricted from the internet |
Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Ensure that SSH access is restricted from the internet |
Disable SSH access on Network Security Groups from Internet |
Network
|
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ] |
| Communications and control network protection: Ensure that SQL server access is restricted from the internet |
Ensure that no SQL Databases allow ingress from the internet. |
SQL
|
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ] |
| Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' |
Enable Network Watcher for your Azure Subscriptions |
Network
|
Subscription should have NetworkWatcherEnabled |
| Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers |
Disable anonymous access to blob containers. |
Storage
|
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic |
| Personnel know response roles/operations: Ensure that 'Security contact emails' is set |
Provide a security contact email address. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactEmails len() > 0 |
| Personnel know response roles/operations: Ensure that security contact 'Phone number' is set |
Provide a security contact phone number. |
SecurityCenter
|
SecurityCenterPolicy should have SecurityContactPhoneNumber neq "" |
| Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' |
Enable security alerts emailing to security contact. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailAboutAlerts |
| Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' |
Enable security alerts emailing to subscription owners. |
SecurityCenter
|
SecurityCenterPolicy should have SendEmailToSubscriptionOwners |
| Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . EmailAddresses |
| Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers |
Enable service and co-administrators to receive security alerts from SQL Server. |
SQL
|
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Ensure that 'Send Alerts to' is set for SQL Databases |
Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAddresses len() gt 0 |
| Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases |
Enable service and co-administrators to receive security alerts from SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center |
Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. |
SecurityCenter
|
SecurityCenterPolicy should have SelectedPricingTier eq "Standard" |
| Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Enable Automatic provisioning of monitoring agent to collect security data. |
AAD
|
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On" |
| Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' |
Enable system updates recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' |
Enable OS vulnerabilities recommendations for virtual machines. |
SecurityCenter
|
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" ) |
| Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' |
Enable SQL auditing & Threat detection recommendations. |
SecurityCenter
|
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Servers |
Enable auditing on SQL Servers. |
SQL
|
SQLServer should have AuditPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers |
Enable threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" |
| Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers |
Enable all types of threat detection on SQL Servers. |
SQL
|
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that 'Auditing' is set to 'On' for SQL Databases |
Enable auditing on SQL Databases. |
SQL
|
SQLDatabase should have AuditPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection' is set to 'On' for SQL Databases |
Enable threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" |
| Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases |
Enable all types of threat detection on SQL Databases. |
SQL
|
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" ) |
| Ensure that the endpoint protection for all Virtual Machines is installed |
Install Endpoint Protection for all Virtual Machines. |
Compute
|
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ] |
