Detections
Analytics

Revision 1.2

Jul 22, 2024
Functional Update
  • 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Informational Update
  • 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Miscellaneous
  • Platform check updated.
Added
  • 1.11 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • 1.15 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
  • 1.17 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • 1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • 1.19 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • 1.20 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • 1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • 1.24 Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'
  • 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
  • 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
  • 2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • 2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
  • 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
  • 2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
  • 2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • 2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • 2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
  • 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
  • 2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
  • 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
  • 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
  • 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • 4.5.2 Ensure That Private Endpoints Are Used Where Possible
  • 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
  • 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • 5.3.1 Ensure Application Insights are Configured
  • 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • 6.6 Ensure that Network Watcher is 'Enabled'
  • 7.1 Ensure an Azure Bastion Host Exists
  • 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
  • 7.7 [Legacy] Ensure that VHDs are Encrypted
  • 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
  • 8.6 Enable Role Based Access Control for Azure Key Vault
  • 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
  • 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
  • 9.10 Ensure Azure Key Vaults are Used to Store Secrets