Netskope

Azure Predefined Rules



🔍
Name Description Service Rule
Ensure that 'OMS Agent' is enabled for the 'addon profile OMS Agent to be enabled in the addon profile Kubernetes
AKSCluster should have AddonProfiles . OMSAgent . Enabled eq true
Ensure that 'Tags' are present on 'Kubernetes Cluster' Check for tags on Kubernetes clusters Kubernetes
AKSCluster should have Tags len ( ) gt 0
Ensure that 'site authentication' is enabled on 'Function app' Check for authentication is enabled on Function app Function
FunctionApp should have every AuthSettings with [ Enabled eq true ]
Ensure that'Public SSL Cert' is present in 'Function App' Ensure that Function App has a Public SSL Cert Function
FunctionApp should have PublicCertificates len ( ) gt 0
Ensure that 'CORS allowed origin' are present on 'Function App' Ensure that FunctionApp has CORS allowed origin Function
FunctionApp should have every Configurations with [ CORS . AllowedOrigins len () gt 0 ]
Ensure that 'non-public access' to 'CosmosDB' Ensure that 'non-public access' to 'CosmosDB' Database
CosmosDB should not have IpRules with [ value isPublic() ]
Ensure that 'Virtual Network' Integrated with service 'Endpoints' Ensure that Virtual Network is Integrated with Service Endpoints VPC
VirtualNetwork should have every Subnets with [ EndpointServices len ( ) gt 0 ]
Ensure LoadBalancer doesnot have public ip LoadBalancer frontend ip config should not have public IPs Network
LoadBalancer should have public_ip len() eq 0
Name Description Service Rule
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Name Description Service Rule
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Data encryption' is set to 'On' for SQL Databases Encrypt database. SQL
SQLDatabase should have DataEncryption . TransparentDataEncryptionStatus eq "Enabled"
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Databases SQL Database Audit Retention should be configured to be greater than 90 days. SQL
SQLDatabase should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Databases SQL Database Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLDatabase should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure that Network Security Group Flow Log retention period is greater than 90 days Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. Network
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled
Ensure that storage account access keys are periodically regenerated Regenerate storage account access keys every 90 days Storage
StorageAccount should have KeyRegenerated
Name Description Service Rule
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that storage account access keys are periodically regenerated Regenerate storage account access keys every 90 days Storage
StorageAccount should have KeyRegenerated
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Ensure default network access rule for Storage Accounts is set to deny Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed Storage
StorageAccount should not have ACL.DefaultAction eq "Allow"
Ensure Trusted Microsoft Services is enabled for Storage Account access Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Storage
StorageAccount should have ACL.Bypass has ( "AzureServices")
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Ensure that AuditActionGroups in auditing policy for a SQL server is set properly Configure the AuditActionGroups property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server SQL
SQLServer should have AuditPolicy . AuditActionGroup has ("SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP", "BATCH_COMPLETED_GROUP")
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Ensure that the Advanced Data Security of SQL Server is set to ON Enable Advanced Data Security on critical SQL Server SQL
SQLServer should have ThreatPolicy.State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that Data encryption is set to On on a SQL Database Enable Transparent Data Encryption on every SQL Database SQL
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled"
Ensure SQL server's TDE protector is encrypted with BYOK TDE with BYOK support provides increased transparency and control over the TDE Protector increased security with an HSM-backed external service and promotion of separation of duties SQL
SQLServer should have TDEProtector.kind eq "azurekeyvault" and TDEProtector.serverKeyType eq "AzureKeyVault" and TDEProtector.uri
Ensure Enforce SSL connection is set to ENABLED for MySQL Database Server Enable SSL connection on MYSQL Servers. SQL
MYSQLServer should have sslEnforcement eq "Enabled"
Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server Enable log_checkpoints on PostgreSQL Servers SQL
PostgreSQLServer should have log_checkpoints like "[Oo][Nn]"
Enforce SSL connection is set to ENABLED for PostgreSQL Database Server Enable SSL connection on PostgreSQL Servers. SQL
PostgreSQLServer should have sslEnforcement eq "Enabled"
Ensure server parameter log_connections is set to ON for PostgreSQL Database Server Enable log_connections on PostgreSQL Servers SQL
PostgreSQLServer should have log_connections like "[Oo][Nn]"
Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server Enable log_disconnections on PostgreSQL Servers. SQL
PostgreSQLServer should have log_disconnections like "[Oo][Nn]"
Ensure server parameter log_duration is set to ON for PostgreSQL Database Server Enable log_duration on PostgreSQL Servers SQL
PostgreSQLServer should have log_duration like "[Oo][Nn]"
Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server Enable connection_throttling on PostgreSQL Servers SQL
PostgreSQLServer should have connection_throttling like "[Oo][Nn]"
Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server Enable log_retention_days on PostgreSQL Servers. SQL
PostgreSQLServer should have log_retention_days gte 4
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have (RetentionEnabled and RetentionDays gte 365) or (RetentionEnabled eq False and RetentionDays eq 0)
Ensure audit profile captures all the activities The log profile should be configured to export all activities from the control/management Monitor
ActivityLogProfile should have Categories has ("Write") and Categories has ("Delete") and Categories has ("Action")
Ensure the log profile captures activity logs for all regions including global Configure the log profile to export activities from all Azure supported regions/locations including global. Monitor
ActivityLogProfile should have AllRegion eq true
Ensure the storage account containing the container with activity logs is encrypted with BYOK The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). Monitor
ActivityLogProfile should have StorageAccount.EncryptionType eq "Microsoft.Keyvault" and StorageAccount.KeyVaultUri
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure that Activity Log Alert exists for Create Policy Assignment Create an activity log alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an activity log alert for Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an activity log alert for Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an activity log alert for the Create or Update Network Security Group Rule event Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ]
Ensure that activity log alert exists for the Delete Network Security Group Rule Create an activity log alert for the Delete Network Security Group Rule event Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an activity log alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an activity log alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an activity log alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/policies/write" ] ]
Ensure that RDP access is restricted from the internet Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). Network
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Ensure that Network Security Group Flow Log retention period is greater than 90 days Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. Network
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Ensure that 'Unattached disks' are encrypted with CMK Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key Compute
Disk where DiskAttachment eq "Unattached" should have Encrypted
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Enable role-based access control (RBAC) within Azure Kubernetes Services Ensure that RBAC is enabled on all Azure Kubernetes Services Instances Kubernetes
AKSCluster should have EnableRBAC
Ensure App Service Authentication is set on Azure App Service Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. Function
FunctionApp should have AuthSettings with [ Enabled and UnauthenticatedClientAction neq "AllowAnonymous" ]
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Function
FunctionApp should have HttpsOnly
Ensure web app is using the latest version of TLS encryption The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Function
FunctionApp should have Configurations with [ MinTLSVersion eq "1.2" ]
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Function
FunctionApp should have ClientCertEnabled
Ensure that Register with Azure Active Directory is enabled on App Service Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. Function
FunctionApp should have ADRegistered
Name Description Service Rule
Identities and credentials: Ensure guest users are reviewed on a monthly basis Do not add guest users if not needed AAD
User should not have Type eq "Guest"
Azure Defender protection: Ensure that Azure Defender is set to On for Container Registries Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForContainerRegistries
Azure Defender protection: Ensure that Azure Defender is set to On for SQL servers on machines Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForSQLServersOnMachine
Azure Defender protection: Ensure that Azure Defender is set to On for App Service Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForAppService
Azure Defender protection: Ensure that Azure Defender is set to On for Key Vault Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForKeyVault
Azure Defender protection: Ensure that Azure Defender is set to On for Servers Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForServer
Azure Defender protection: Ensure that Azure Defender is set to On for Azure SQL database servers Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForAzureSQLDataBaseServers
Azure Defender protection: Ensure that Azure Defender is set to On for Kubernetes Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForKubernetes
Azure Defender protection: Ensure that Azure Defender is set to On for Storage Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. SecurityCenter
AzureDefender should have AzureDefenderForStorage
Security Center protection: Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected This setting enables Windows Defender ATP (WDATP) integration with Security Center. SecurityCenter
SecurityCenterPolicy should have WDATPIntegratedWithSecurityCenter
Security Center protection: Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center SecurityCenter
SecurityCenterPolicy should have MCASIntegratedWithSecurityCenter
Security Center protection: Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable automatic provisioning of the monitoring agent to collect security data SecurityCenter
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Security Center protection: Ensure 'Additional email addresses' is configured with a security contact email Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() gt 0
Security Center protection: Ensure that 'Notify about alerts with the following severity' is set to 'High' Enables emailing security alerts to the subscription owner or other designated security contact SecurityCenter
SecurityCenterPolicy should have AlertNotificationMinimalSeverity eq "High"
Security Center protection: Ensure that 'All users with the following roles' is set to 'Owner' Enable security alert emails to subscription owners SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Ensure storage for critical data are encrypted with Customer Managed Key Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys Storage
StorageAccount should have EncryptionType eq "Microsoft.Keyvault"
SQL Server protection: Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Enable Azure Defender for SQL on critical SQL Servers SQL
SQLServer should have ThreatPolicy.State eq "Enabled"
SQL Server protection: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases SQL
SQLServer should have VulnerabilityAssessment . StorageAccount neq ""
SQL Server protection: Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases SQL
SQLServer should have VulnerabilityAssessment.RecurringScansState
SQL Server protection: Ensure that VA setting Send scan reports to is configured for a SQL server Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers SQL
SQLServer should have VulnerabilityAssessment.NotificationEmails len() gt 0
SQL Server protection: Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' SQL
SQLServer should have VulnerabilityAssessment.EmailSubscriptionAdmins
SQL Server protection: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Disable access from Azure services to PostgreSQL Database Server SQL
PostgreSQLServer should not have firewall_rules with [properties.startIpAddress eq "0.0.0.0" and properties.endIpAddress eq "0.0.0.0"]
SQL Server protection: Ensure that Azure Active Directory Admin is configured Use Azure Active Directory Authentication for authentication with SQL Database SQL
SQLServer should have ADAdmin.Status
Ensure Diagnostic Setting captures appropriate categories The diagnostic setting should be configured to log the appropriate activities from the control/management plane Monitor
Subscription should have DiagnosticSettings with [ Logs with [ Category eq "Administrative" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Alert" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Policy" and Enabled ] ] and DiagnosticSettings with [ Logs with [ Category eq "Security" and Enabled ] ]
Ensure the storage container storing the activity logs is not publicly accessible The storage account container containing the activity log export should not be publicly accessible Monitor
ActivityLogProfile should have StorageContainerPublicAccess eq "None"
Ensure that Activity Log Alert exists for Delete Policy Assignment Create an activity log alert for the Delete Policy Assignment event Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "Microsoft.Authorization/policyAssignments/delete" ] ]
Ensure that UDP Services are restricted from the Internet Disable Internet exposed UDP ports on network security groups Network
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP") and Destination . PortRange with [ ( FromPort lte 22 and ToPort gte 22 ) or ( FromPort lte 53 and ToPort gte 53 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 80 and ToPort gte 80 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 161 and ToPort gte 161 ) or ( FromPort lte 389 and ToPort gte 389 ) or ( FromPort lte 443 and ToPort gte 443 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1900 and ToPort gte 1900 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 3389 and ToPort gte 3389 ) or ( FromPort lte 5432 and ToPort gte 5432 ) or ( FromPort lte 27019 and ToPort gte 27017 ) ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ]
Ensure Virtual Machines are utilizing Managed Disks Migrate BLOB based VHD's to Managed Disks on Virtual Machines Compute
VirtualMachine should have UnmanagedDisks len() eq 0
Ensure that 'OS and Data' disks are encrypted with CMK Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk and DiskEncryptionStatus . DataDisk
Ensure soft delete is enabled for Azure Storage Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted Storage
StorageAccount should have SoftDelete . Enabled
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that storage account access keys are periodically regenerated Regenerate storage account access keys every 90 days Storage
StorageAccount should have KeyRegenerated
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Ensure default network access rule for Storage Accounts is set to deny Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed Storage
StorageAccount should not have ACL.DefaultAction eq "Allow"
Ensure Trusted Microsoft Services is enabled for Storage Account access Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Storage
StorageAccount should have ACL.Bypass has ( "AzureServices")
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Ensure that Data encryption is set to On on a SQL Database Enable Transparent Data Encryption on every SQL Database SQL
SQLDatabase should have DataEncryption.TransparentDataEncryptionStatus eq "Enabled"
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Enforce SSL connection is set to ENABLED for PostgreSQL Database Server Enable SSL connection on PostgreSQL Servers. SQL
PostgreSQLServer should have sslEnforcement eq "Enabled"
Ensure Enforce SSL connection is set to ENABLED for MySQL Database Server Enable SSL connection on MYSQL Servers. SQL
MYSQLServer should have sslEnforcement eq "Enabled"
Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server Enable log_checkpoints on PostgreSQL Servers SQL
PostgreSQLServer should have log_checkpoints like "[Oo][Nn]"
Ensure server parameter log_connections is set to ON for PostgreSQL Database Server Enable log_connections on PostgreSQL Servers SQL
PostgreSQLServer should have log_connections like "[Oo][Nn]"
Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server Enable log_disconnections on PostgreSQL Servers. SQL
PostgreSQLServer should have log_disconnections like "[Oo][Nn]"
Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server Enable connection_throttling on PostgreSQL Servers SQL
PostgreSQLServer should have connection_throttling like "[Oo][Nn]"
Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server Enable log_retention_days on PostgreSQL Servers. SQL
PostgreSQLServer should have log_retention_days gte 4
Ensure SQL server's TDE protector is encrypted with BYOK TDE with BYOK support provides increased transparency and control over the TDE Protector increased security with an HSM-backed external service and promotion of separation of duties SQL
SQLServer should have TDEProtector.kind eq "azurekeyvault" and TDEProtector.serverKeyType eq "AzureKeyVault" and TDEProtector.uri
Ensure the storage account containing the container with activity logs is encrypted with BYOK The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). Monitor
ActivityLogProfile should have StorageAccount.EncryptionType eq "Microsoft.Keyvault" and StorageAccount.KeyVaultUri
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure that Activity Log Alert exists for Create Policy Assignment Create an activity log alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Authorization/policyAssignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an activity log alert for Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an activity log alert for Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an activity log alert for the Create or Update Network Security Group Rule event Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/write" ] ]
Ensure that activity log alert exists for the Delete Network Security Group Rule Create an activity log alert for the Delete Network Security Group Rule event Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Network/networkSecurityGroups/securityRules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an activity log alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an activity log alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Security/securitySolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ SubscriptionScope and RegionName eq "global" and Enabled and ActionGroupId len () gt 0 and Conditions with [ Field eq "operationName" and Value like "Microsoft.Sql/servers/firewallRules/write" ] ]
Ensure that RDP access is restricted from the internet Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). Network
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ] ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Ensure that Network Security Group Flow Log retention period is greater than 90 days Network Security Group Flow Logs should be enabled and retention period is set to greater than or equal to 90 days. Network
NetworkSecurityGroup should have FlowLog . RetentionPolicy . Days gt 90 and FlowLog . RetentionPolicy . Enabled
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Ensure that 'Unattached disks' are encrypted with CMK Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key Compute
Disk where DiskAttachment eq "Unattached" should have Encrypted
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure the key vault is recoverable It is recommended the key vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. KeyVault
KeyVault should have EnableSoftDelete and EnablePurgeProtection
Enable role-based access control (RBAC) within Azure Kubernetes Services Ensure that RBAC is enabled on all Azure Kubernetes Services Instances Kubernetes
AKSCluster should have EnableRBAC
Ensure App Service Authentication is set on Azure App Service Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. Function
FunctionApp should have AuthSettings with [ Enabled and UnauthenticatedClientAction neq "AllowAnonymous" ]
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Function
FunctionApp should have HttpsOnly
Ensure web app is using the latest version of TLS encryption The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Function
FunctionApp should have Configurations with [ MinTLSVersion eq "1.2" ]
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Function
FunctionApp should have ClientCertEnabled
Ensure that Register with Azure Active Directory is enabled on App Service Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. Function
FunctionApp should have ADRegistered
Name Description Service Rule
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Name Description Service Rule
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Name Description Service Rule
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Name Description Service Rule
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Name Description Service Rule
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Name Description Service Rule
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure that inbound access from the Internet is restricted Make sure Network Security Groups do not allow any inbound access from the Internet. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Do not allow default Network Security Groups Check for Network Security Groups with only default rules, which by default allows all outbound Internet traffic. Network
NetworkSecurityGroup should have SecurityRules len() gt 0 and no SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ] and SecurityRules with [ Access eq "Deny" and Direction eq "Outbound" and ( ( Destination . PortRange with [ ( FromPort eq 0 and ToPort eq 65535 ) ] ) and ( ( Destination . Type eq "Any" ) or ( Destination . Type eq "IP Addresses" and Destination . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) or ( Destination . Type eq "Service Tag" and Destination . ServiceTag eq "Internet" ) ) ) ]
Ensure that relational database access is restricted from the Internet Ensure that common SQL Database (SQLServer, mySQL, Oracle, Postgres) ports are not allowed inbound access from the internet. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ ( FromPort lte 1433 and ToPort gte 1433 ) or ( FromPort lte 3306 and ToPort gte 3306 ) or ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 5432 and ToPort gte 5432 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Ensure that SSH access is restricted from the internet Check Network Security Groups for any inbound access from the Internet to SSH port 22 (TCP). Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Ensure that FTP access is restricted from the Internet Check Network Security Groups for FTP access from the Internet. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ ( FromPort lte 21 and ToPort gte 20 ) ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Ensure that clear text protocols from the Internet are restricted Check Network Security Groups for inbound access of clear-text protocols (telnet, SMTP, POP, IMAP, and SNMP) from the Internet. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 23 and ToPort gte 23 ) or ( FromPort lte 25 and ToPort gte 25 ) or ( FromPort lte 110 and ToPort gte 110 ) or ( FromPort lte 143 and ToPort gte 143 ) or ( FromPort lte 162 and ToPort gte 161 ) ] ) ) or ( Protocol in ( "*" , "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 162 and ToPort gte 161 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Ensure that commonly-attacked ports access are restricted from the Internet Prevent inbound access from the Internet to commonly attacked ports (TCP 0, 19, 135-139, 445, 1080, 5900) and (UDP 67, 520, 547, 1900). Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Protocol in ( "*", "TCP" ) and ( Destination . PortRange with [ ( FromPort lte 0 and ToPort gte 0 ) or ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 1080 and ToPort gte 1080 ) or ( FromPort lte 5800 and ToPort gte 5800 ) or ( FromPort lte 5900 and ToPort gte 5900) ] ) ) or ( Protocol in ( "*", "UDP" ) and ( Destination . PortRange with [ ( FromPort lte 19 and ToPort gte 19 ) or ( FromPort lte 123 and ToPort gte 123 ) or ( FromPort lte 67 and ToPort gte 67 ) or ( FromPort lte 139 and ToPort gte 135 ) or ( FromPort lte 445 and ToPort gte 445 ) or ( FromPort lte 520 and ToPort gte 520 ) or ( FromPort lte 547 and ToPort gte 547 ) or ( FromPort lte 1900 and ToPort gte 1900 ) ] ) ) ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that RDP access is restricted from the internet Check Network Security Groups for any inbound access from the Internet to RDP port 3389 (UDP or TCP). Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0") ] ) ) ]
Prevent inbound traffic from the Internet that has spoofed or invalid src IP addresses Prevent any inbound traffic from the internet that has unroutable, reserved, or invalid source IP addresses. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/25, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32, 0.0.0.0/0 ) ] ) ) ]
Ensure that all inbound traffic from the Internet is restricted Check Network Security Groups for rules allowing any inbound traffic from the Internet. Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and ( Source . Addresses with [ Prefix isPublic() or Prefix in ( "/0", "/0") ] ) ) ) ]
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Databases SQL Database Audit Retention should be configured to be greater than 90 days. SQL
SQLDatabase should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Ensure that 'Data encryption' is set to 'On' for SQL Databases Encrypt database. SQL
SQLDatabase should have DataEncryption . TransparentDataEncryptionStatus eq "Enabled"
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Ensure that the expiry date is set on all Keys Ensure that all Keys in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Keys with [ Expires eq False ]
Ensure that the expiry date is set on all Secrets Ensure that all Secrets in Azure Key Vault have an expiry time set. KeyVault
KeyVault should not have Secrets with [ Expires eq False ]
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Name Description Service Rule
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers SQL Server Audit Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( AuditPolicy . RetentionDays gte 90 or AuditPolicy . RetentionDays lte 0 )
Audit/log records: Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Servers SQL Server Threat Detection Retention should be configured to be greater than 90 days. SQL
SQLServer should have ( ThreatPolicy . RetentionDays gte 90 or ThreatPolicy . RetentionDays lte 0 )
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' Enable Endpoint protection recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMEndpointProtection in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' Enable Disk encryption recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMDiskEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Storage Encryption' is set to 'On' Enable Storage Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have StorageEncryption in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Encryption' is not 'Disabled' Enable SQL Encryption recommendations. SecurityCenter
SecurityCenterPolicy should have SQLEncryption in ( "AuditIfNotExists", "Audit" )
Ensure that 'Secure transfer required' is set to 'Enabled' Enable data encryption is transit. Storage
StorageAccount should have EnableHttpsTrafficOnly
Ensure that 'Storage service encryption' is set to Enabled for Blob Service Enable data encryption at rest for blobs. Storage
StorageAccount should have BlobEncryptionEnabled
Ensure that 'Storage service encryption' is set to Enabled for File Service Enable data encryption at rest for file service. Storage
StorageAccount should have FileEncryptionEnabled
Data-at-rest is protected: Ensure that 'OS disk' are encrypted Ensure that OS disks (boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . OSDisk
Ensure that 'Data disks' are encrypted Ensure that Data disks (non-boot volumes) are encrypted, where possible Compute
VirtualMachine should have DiskEncryptionStatus . DataDisk
Identities and credentials: Ensure that there are no guest users Do not add guest users if not needed. AAD
User should not have Type eq "Guest"
Identities and credentials: Ensure that no custom subscription owner roles are created Do not create custom roles with subscription ownership. It is recommended to use the principle of least privilege, assigning only needed privileges instead of allowing full administrative access. Auth
Role should not have ( Type eq "CustomRole" and Permissions with [ Actions has ( "*" ) ] )
Identities and credentials: Ensure that Azure Active Directory Admin is configured for SQL Servers Use Azure Active Directory Authentication for authentication with SQL Database. SQL
SQLServer should have ADAdmin . Status
Ensure that a Log Profile exists Enable log profile for exporting activity logs. Monitor
Azure should have ActivityLogProfile len () > 0
Ensure that Activity Log Retention is set 365 days or greater Ensure Activity Log Retention is set for 365 days or greater Monitor
ActivityLogProfile should have RetentionDays gte 365
Ensure that Activity Log Alert exists for Create Policy Assignment Create an Activity Log Alert for the Create Policy Assignment event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.authorization/policyassignments/write" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Create an Activity Log Alert for the Create or Update Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Create an Activity Log Alert for the Delete Network Security Group event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Create an Activity Log Alert for the Create or Update Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/write" ] ]
Ensure that Activity Log Alert exists for Delete Network Security Group Rule Create an Activity Log Alert for the Delete Network Security Group Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.network/networksecuritygroups/securityrules/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update Security Solution Create an Activity Log Alert for the Create or Update Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/write" ] ]
Ensure that Activity Log Alert exists for Delete Security Solution Create an Activity Log Alert for the Delete Security Solution event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/securitysolutions/delete" ] ]
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Create an Activity Log Alert for the Create or Update SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/write" ] ]
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Create an Activity Log Alert for the Delete SQL Server Firewall Rule event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.sql/servers/firewallrules/delete" ] ]
Ensure that Activity Log Alert exists for Update Security Policy Create an Activity Log Alert for the Update Security Policy event. Monitor
Azure should have atleast one ActivityLogAlert with [ Conditions with [ Value like "microsoft.security/policies/write" ] ]
Ensure that logging for Azure KeyVault is 'Enabled' Enable AuditEvent logging for Key Vault instances to ensure interactions with key vaults are logged and available. KeyVault
KeyVault should have DiagnosticSettings with [ StorageAccountId len ( ) gt 0 and Logs with [ Category len ( ) gt 0 and LogEnabled and ( RetentionPolicy . Days gte 180 or RetentionPolicy . Days eq 0 ) ] ]
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' Enable Vulnerability assessment recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMVulnerabilityAssessment in ( "AuditIfNotExists", "Audit" )
Vulnerability management plan: Ensure that VM agent is installed Install VM agent on Virtual Machines Compute
VirtualMachine should have Extensions with [ ExtensionType eq "MicrosoftMonitoringAgent" and ProvisioningState eq "Succeeded" ]
Ensure ASC Default policy setting 'Monitor Network Security Groups' is not 'Disabled' Enable Network security groups recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNetworkSecurityGroups in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Web Application Firewall' is not 'Disabled' Enable Web application firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMWebApplicationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' Enable Next generation firewall recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMNextGenerationFirewall in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' Enable JIT Network Access for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMJITNetworkAccess in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' Enable adaptive application controls. SecurityCenter
SecurityCenterPolicy should have AdaptiveApplicationControls in ( "AuditIfNotExists", "Audit" )
Ensure that RDP access is restricted from the internet Disable RDP access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "UDP", "TCP") and ( Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Ensure that SSH access is restricted from the internet Disable SSH access on Network Security Groups from Internet Network
NetworkSecurityGroup should not have SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and ( Destination . PortRange with [ FromPort lte 22 and ToPort gte 22 ] ) and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "/0", "/0" ) ] ) ) ]
Communications and control network protection: Ensure that SQL server access is restricted from the internet Ensure that no SQL Databases allow ingress from the internet. SQL
SQLServer should not have FirewallRule with [ StartIP eq 0.0.0.0 and EndIP eq 0.0.0.0 ]
Baseline network operations and data flows: Ensure that Network Watcher is 'Enabled' Enable Network Watcher for your Azure Subscriptions Network
Subscription should have NetworkWatcherEnabled
Data-at-rest is protected: Ensure that 'Public access level' is set to Private for blob containers Disable anonymous access to blob containers. Storage
StorageAccount should have every BlobContainers with [ Access eq "None" ] or not AllowBlobPublic
Personnel know response roles/operations: Ensure that 'Security contact emails' is set Provide a security contact email address. SecurityCenter
SecurityCenterPolicy should have SecurityContactEmails len() > 0
Personnel know response roles/operations: Ensure that security contact 'Phone number' is set Provide a security contact phone number. SecurityCenter
SecurityCenterPolicy should have SecurityContactPhoneNumber neq ""
Personnel know response roles/operations: Ensure that 'Send me emails about alerts' is set to 'On' Enable security alerts emailing to security contact. SecurityCenter
SecurityCenterPolicy should have SendEmailAboutAlerts
Personnel know response roles/operations: Ensure that 'Also send email to subscription owners' is set to 'On' Enable security alerts emailing to subscription owners. SecurityCenter
SecurityCenterPolicy should have SendEmailToSubscriptionOwners
Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Servers. SQL
SQLServer should have ThreatPolicy . EmailAddresses
Personnel know response roles/operations: Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Servers Enable service and co-administrators to receive security alerts from SQL Server. SQL
SQLServer should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Ensure that 'Send Alerts to' is set for SQL Databases Provide the email address to which alerts will be sent upon detection of anomalous activities on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAddresses
Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Databases Enable service and co-administrators to receive security alerts from SQL Databases. SQL
SQLDatabase should have ThreatPolicy . EmailAccountAdmins eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that standard pricing tier is selected in Azure Security Center Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center. SecurityCenter
SecurityCenterPolicy should have SelectedPricingTier eq "Standard"
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Enable Automatic provisioning of monitoring agent to collect security data. AAD
SecurityCenterPolicy should have AutomaticProvisioningOfMonitoringAgent eq "On"
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' Enable system updates recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSystemUpdates in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' Enable OS vulnerabilities recommendations for virtual machines. SecurityCenter
SecurityCenterPolicy should have VMSecurityConfigurations in ( "AuditIfNotExists", "Audit" )
Ensure ASC Default policy setting 'Monitor SQL Auditing' is not 'Disabled' Enable SQL auditing & Threat detection recommendations. SecurityCenter
SecurityCenterPolicy should have SQLAuditingAndThreatDetection in ( "AuditIfNotExists", "Audit" )
Ensure that 'Auditing' is set to 'On' for SQL Servers Enable auditing on SQL Servers. SQL
SQLServer should have AuditPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection' is set to 'On' for SQL Servers Enable threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled"
Monitor network to detect potential cybersecurity events: Ensure that 'Threat Detection Types' is set to 'All' for SQL Servers Enable all types of threat detection on SQL Servers. SQL
SQLServer should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that 'Auditing' is set to 'On' for SQL Databases Enable auditing on SQL Databases. SQL
SQLDatabase should have AuditPolicy . State eq "Enabled"
Ensure that 'Threat Detection' is set to 'On' for SQL Databases Enable threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled"
Ensure that 'Threat Detection Types' is set to 'All' for SQL Databases Enable all types of threat detection on SQL Databases. SQL
SQLDatabase should have ThreatPolicy . State eq "Enabled" and not ( ThreatPolicy . DisabledAlerts like "Sql" or ThreatPolicy . DisabledAlerts like "Anomaly" )
Ensure that the endpoint protection for all Virtual Machines is installed Install Endpoint Protection for all Virtual Machines. Compute
VirtualMachine should have Extensions with [ ExtensionType in ( "EndpointSecurity", "TrendMicroDSA*", "Antimalware" , "EndpointProtection" , "SCWPAgent", "PortalProtectExtension*" , "FileSecurity*" ) ]