| 2.1.3 Ensure that Traffic is Encrypted Between Cluster Worker Nodes | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.8 Ensure Critical Data in Azure Databricks is Encrypted with Customer-managed Keys (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.11 Ensure Private Endpoints are used to access Azure Databricks workspaces | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure only MFA Enabled Identities can Access Privileged Virtual Machine | IDENTIFICATION AND AUTHENTICATION |
| 5.5 Ensure that a Custom Role is Assigned Permissions for Administering Resource Locks | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 5.6 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.1.1.3 Ensure the Storage Account Containing the Container with Activity Logs is Encrypted with Customer-managed Key (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1.5 Ensure that Network Security Group Flow Logs are Captured and Sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1.6 Ensure that Virtual Network Flow Logs are Captured and Sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1.7 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Graph Activity Logs to an Appropriate Destination | AUDIT AND ACCOUNTABILITY |
| 6.1.1.8 Ensure that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Entra Activity Logs to an Appropriate Destination | AUDIT AND ACCOUNTABILITY |
| 6.1.1.9 Ensure that Intune Logs are Captured and Sent to Log Analytics | AUDIT AND ACCOUNTABILITY |
| 6.1.3.1 Ensure Application Insights are Configured | AUDIT AND ACCOUNTABILITY |
| 6.1.5 Ensure Basic, Free, and Consumption SKUs are not used on Production artifacts requiring monitoring and SLA | SYSTEM AND SERVICES ACQUISITION |
| 6.2 Ensure that Resource Locks are set for Mission-Critical Azure Resources | ACCESS CONTROL, MEDIA PROTECTION |
| 7.5 Ensure that Network Security Group Flow Log Retention Days is Set to Greater than or equal to 90 | AUDIT AND ACCOUNTABILITY |
| 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions That are in Use | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Ensure that Virtual Network Flow Log Retention Days is Set to Greater than or Equal to 90 | AUDIT AND ACCOUNTABILITY |
| 7.9 Ensure 'Authentication type' is Set to 'Azure Active Directory' only for Azure VPN Gateway Point-to-Site Configuration | ACCESS CONTROL |
| 7.10 Ensure Azure Web Application Firewall (WAF) is Enabled on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.14 Ensure Request Body Inspection is Enabled in Azure Web Application Firewall policy on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.15 Ensure Bot Protection is Enabled in Azure Web Application Firewall Policy on Azure Application Gateway | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.16 Ensure Azure Network Security Perimeter is Used to Secure Azure Platform-as-a-service Resources | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.1.1 Ensure Microsoft Defender CSPM is Set to 'On' | RISK ASSESSMENT |
| 8.1.2.1 Ensure Microsoft Defender for APIs is Set to 'On' | SECURITY ASSESSMENT AND AUTHORIZATION, RISK ASSESSMENT |
| 8.1.3.1 Ensure that Defender for Servers is Set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1.3.2 Ensure that 'Vulnerability assessment for machines' Component Status is set to 'On' | RISK ASSESSMENT |
| 8.1.3.3 Ensure that 'Endpoint protection' Component Status is set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1.3.4 Ensure that 'Agentless scanning for machines' Component Status is Set to 'On' | RISK ASSESSMENT |
| 8.1.3.5 Ensure that 'File Integrity Monitoring' Component Status is Set to 'On' | RISK ASSESSMENT |
| 8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' | RISK ASSESSMENT |
| 8.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On' | RISK ASSESSMENT |
| 8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored | AUDIT AND ACCOUNTABILITY |
| 8.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' | RISK ASSESSMENT |
| 8.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | ACCESS CONTROL, RISK ASSESSMENT |
| 8.1.16 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is Enabled | RISK ASSESSMENT |
| 8.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.3.6 Ensure that Role Based Access Control for Azure Key Vault is Enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 8.3.8 Ensure Private Endpoints are Used to Access Azure Key Vault | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.9 Ensure Automatic Key Rotation is Enabled within Azure Key Vault | ACCESS CONTROL |
| 8.3.10 Ensure that Azure Key Vault Managed HSM is Used when Required | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.4.1 Ensure an Azure Bastion Host Exists | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.5 Ensure Azure DDoS Network Protection is Enabled on Virtual Networks | SYSTEM AND INFORMATION INTEGRITY |
| 9.2.3 Ensure 'Versioning' is Set to 'Enabled' on Azure Blob Storage Storage Accounts | CONTINGENCY PLANNING |
| 9.3.2.1 Ensure Private Endpoints are Used to Access Storage Accounts | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |