diff --git a/rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-missing-alerts.json b/rules/findings/Azure/Activity Alerts/CIS3.0/azure-activity-log-missing-alerts.json
similarity index 92%
rename from rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-missing-alerts.json
rename to rules/findings/Azure/Activity Alerts/CIS3.0/azure-activity-log-missing-alerts.json
index 94bddb7c..4aae8b4f 100644
--- a/rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-missing-alerts.json
+++ b/rules/findings/Azure/Activity Alerts/CIS3.0/azure-activity-log-missing-alerts.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -27,7 +27,8 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "_ARG_3_",
- "reference": "_ARG_4_"
+ "reference": "_ARG_4_",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -79,13 +80,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -118,3 +121,4 @@
]
}
+
diff --git a/rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-disabled-alerts.json b/rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-disabled-alerts.json
deleted file mode 100644
index 15b6a731..00000000
--- a/rules/findings/Azure/Activity Log/CIS1.4/azure-activity-log-disabled-alerts.json
+++ /dev/null
@@ -1,127 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure Alerts",
- "serviceName": "Subscription",
- "displayName": "_ARG_0_ disabled alert",
- "description": "_ARG_0_ alert was not enabled at subscription level.",
- "rationale": "_ARG_5_",
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "_ARG_3_",
- "reference": "_ARG_4_"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_monitor_alerts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "operationName",
- "eq",
- "_ARG_1_"
- ],
- [
- "operationName",
- "eq",
- "_ARG_1_"
- ],
- [
- "enabled",
- "ne",
- "_ARG_2_"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": "true"
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "The _ARG_1_ was disabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "operationName",
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_monitor_alert_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/App Service/CIS3.0/azure-app-service-basic-auth-enabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-basic-auth-enabled.json
new file mode 100644
index 00000000..1991d4de
--- /dev/null
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-basic-auth-enabled.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "App Services",
+ "serviceName": "Hosted Services",
+ "displayName": "Ensure that 'Basic Authentication' is 'Disabled'",
+ "description": "Basic Authentication provides the ability to create identities and authentication for an App Service without a centralized Identity Provider. For a more effective, capable, and secure solution for Identity, Authentication, Authorization, and Accountability, a centralized Identity Provider such as Entra ID is strongly advised.",
+ "rationale": "Basic Authentication introduces an identity silo which can produce privileged access to a resource. This can be exploited in numerous ways and represents a significant vulnerability and attack vector.",
+ "impact": "An Identity Provider that can be used by the App Service for authenticating users is required.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/app-service/configure-basic-auth-disable?tabs=portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "9.6",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "app_service_basic_auth_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/App Service/CIS3.0/azure-app-service-lack-keyvault-secret.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-lack-keyvault-secret.json
new file mode 100644
index 00000000..98403527
--- /dev/null
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-lack-keyvault-secret.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "App Services",
+ "serviceName": "Hosted Services",
+ "displayName": "Ensure Azure Key Vaults are Used to Store Secrets",
+ "description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.",
+ "rationale": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.",
+ "impact": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-3-manage-application-identities-securely-and-automatically",
+ "https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "9.11",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "app_service_lack_keyvault_configuration",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/App Service/CIS3.0/azure-app-service-remote-debugging-enabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-remote-debugging-enabled.json
new file mode 100644
index 00000000..c8d215fb
--- /dev/null
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-service-remote-debugging-enabled.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "App Services",
+ "serviceName": "Hosted Services",
+ "displayName": "Ensure that 'Remote debugging' is set to 'Off'",
+ "description": "Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.",
+ "rationale": "
+ Disabling remote debugging on Azure App Service is primarily about enhancing security.
+ Remote debugging opens a communication channel that can be exploited by attackers. By disabling it, you reduce the number of potential entry points for unauthorized access.
+ If remote debugging is enabled without proper access controls, it can allow unauthorized users to connect to your application, potentially leading to data breaches or malicious code execution.
+ During a remote debugging session, sensitive information might be exposed. Disabling remote debugging helps ensure that such data remains secure. This minimizes the use of remote access tools to reduce risk.
+ ",
+ "impact": "You will not be able to connect to your application from a remote location to diagnose and fix issues in real-time. You will not be able to step through code, set breakpoints, or inspect variables and the call stack while the application is running on the server. Remote debugging is particularly useful for diagnosing issues that only occur in the production environment. Without it, you will need to rely on logs and other diagnostic tools.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-2-audit-and-enforce-secure-configurations"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "9.12",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "app_service_remote_debugging_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/App Service/CIS3.0/azure-app-services-auth-disabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-auth-disabled.json
new file mode 100644
index 00000000..bb4f0c0d
--- /dev/null
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-auth-disabled.json
@@ -0,0 +1,109 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "App Services",
+ "serviceName": "Hosted Services",
+ "displayName": "Ensure App Service Authentication is set up for apps in Azure App Service",
+ "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.",
+ "rationale": "By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.",
+ "impact": "
+ This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.
+ Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.
+ ",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "9.2",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "app_service_site_auth_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-ad-managed-identity-missing.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-eid-managed-identity-missing.json
similarity index 75%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-ad-managed-identity-missing.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-eid-managed-identity-missing.json
index 13481718..6ad87d6a 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-ad-managed-identity-missing.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-eid-managed-identity-missing.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Register application service with Microsoft Entra ID",
- "description": "Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Microsoft Entra ID in the app service, the app will connect to other Azure services securely without the need of username and passwords. App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
+ "displayName": "Ensure that Register with Entra ID is enabled on App Service",
+ "description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.",
"rationale": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
"impact": null,
"remediation": {
@@ -20,13 +20,15 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi"
+ "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-1-use-centralized-identity-and-authentication-system"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.5"
+ "version": "3.0.0",
+ "reference": "9.5",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -83,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -120,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-ftp-deployment-enabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-ftp-deployment-enabled.json
similarity index 66%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-ftp-deployment-enabled.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-ftp-deployment-enabled.json
index 53bd0e71..03c092db 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-ftp-deployment-enabled.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-ftp-deployment-enabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Ensure FTP deployments are Disabled",
- "description": "By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.",
- "rationale": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
+ "displayName": "Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'",
+ "description": "By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services. If FTPS is not expressly required for the App, the recommended setting is `Disabled`.",
+ "rationale": "FTP is an unencrypted network protocol that will transmit data - including passwords - in clear-text. The use of this protocol can lead to both data and credential compromise, and can present opportunities for exfiltration, persistence, and lateral movement.",
"impact": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.",
"remediation": {
"text": "###### Using From Azure Portal\r\n\t\t\t\t\t1. Go to the Azure Portal\r\n\t\t\t\t\t2. Select `App Services`\r\n\t\t\t\t\t3. Click on an `app`\r\n\t\t\t\t\t4. Select `Settings` and then `Configuration`\r\n\t\t\t\t\t5. Under `General Settings`, for the `Platform Settings`, the FTP state should be set to `Disabled` or `FTPS Only`",
@@ -20,13 +20,18 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal"
+ "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp",
+ "https://docs.microsoft.com/en-us/azure/app-service/overview-security",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+ "https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-configuration#ftpsstate"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.10"
+ "version": "3.0.0",
+ "reference": "9.3",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -79,17 +84,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
"properties.defaultHostName",
"appConfig.properties.ftpsState"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -122,3 +129,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-https-only-disabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-https-only-disabled.json
similarity index 52%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-https-only-disabled.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-https-only-disabled.json
index c31d92d0..4a6bac39 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-https-only-disabled.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-https-only-disabled.json
@@ -1,16 +1,23 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Enable HTTPS-Only on Application Service",
- "description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.",
- "rationale": null,
- "impact": null,
+ "displayName": "Ensure 'HTTPS Only' is set to `On`",
+ "description": "Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.",
+ "rationale": "Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.",
+ "impact": "When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.",
"remediation": {
- "text": null,
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Login to Azure Portal using https://portal.azure.com
+ 2. Go to App Services
+ 3. For each App Service
+ 4. Under Setting section, click on Configuration
+ 5. Under the General Settings tab, set HTTPS Only to On under Platform Settings
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -20,13 +27,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ "https://learn.microsoft.com/en-us/azure/app-service/overview-security?source=recommendations#https-and-certificates",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit",
+ "https://learn.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp",
+ "https://techcommunity.microsoft.com/t5/azure-paas-blog/enable-https-setting-on-azure-app-service-using-azure-policy/ba-p/3286603"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.2"
+ "version": "3.0.0",
+ "reference": "9.1",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -81,11 +92,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -118,3 +133,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-http-version-disabled.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-http-version-disabled.json
similarity index 73%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-http-version-disabled.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-http-version-disabled.json
index 89525d11..f473ef68 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-http-version-disabled.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-http-version-disabled.json
@@ -1,14 +1,17 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Ensure that HTTP Version is the latest, if used to run the web app",
- "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
- "rationale": "Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\r\n\t\t\t\t\tHTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1\u0027s chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.",
- "impact": null,
+ "displayName": "Ensure that 'HTTP20enabled' is set to 'true'",
+ "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
+ "rationale": "
+ Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.
+ HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.
+ ",
+ "impact": "Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Login to \u003ca href=\u0027https://portal.azure.com\u0027 target=\u0027_blank\u0027\u003eAzure Portal\u003c/a\u003e\r\n\t\t\t\t\t2. Go to `App Services`\r\n\t\t\t\t\t3. Click on each App\r\n\t\t\t\t\t4. Under `Setting` section, click on `Configuration`\r\n\t\t\t\t\t5. Set `HTTP version` to `2.0` under `General settings`\r\n\t\t\t\t\t\r\n\t\t\t\t\tNOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app\u0027s custom domain or bind a third party certificate.",
"code": {
@@ -27,8 +30,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.9"
+ "version": "3.0.0",
+ "reference": "9.10",
+ "profile": "Level 1"
}
],
"level": "low",
@@ -83,7 +87,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
@@ -92,10 +96,12 @@
"appConfig.properties.minTlsVersion",
"appConfig.properties.http20Enabled"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -128,3 +134,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-java-version-missing.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-java-version-missing.json
similarity index 65%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-java-version-missing.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-java-version-missing.json
index b7457ec6..96d641a3 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-java-version-missing.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-java-version-missing.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Ensure that \u0027Java version\u0027 is the latest, if used to run the web app",
- "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
- "rationale": null,
- "impact": null,
+ "displayName": "Ensure that 'Java version' is currently supported (if in use)",
+ "description": "Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for app services is recommended to avoid potential unpatched vulnerabilities.",
+ "rationale": "Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.",
+ "impact": "If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.",
"remediation": {
"text": null,
"code": {
@@ -20,13 +20,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources",
+ "https://www.oracle.com/java/technologies/java-se-support-roadmap.html"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.8"
+ "version": "3.0.0",
+ "reference": "9.9",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -97,7 +101,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
@@ -106,10 +110,12 @@
"appConfig.properties.minTlsVersion",
"appConfig.properties.javaVersion"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -142,3 +148,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-php-version-missing.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-php-version-missing.json
similarity index 74%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-php-version-missing.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-php-version-missing.json
index 636ec9ed..a5dc7a69 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-php-version-missing.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-php-version-missing.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Ensure that \u0027PHP version\u0027 is the latest, if used to run the web app",
+ "displayName": "Ensure that 'PHP version' is currently supported (if in use)",
"description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
- "rationale": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.",
- "impact": null,
+ "rationale": "Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.",
+ "impact": "If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.",
"remediation": {
"text": null,
"code": {
@@ -20,13 +20,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources",
+ "https://www.php.net/supported-versions.php"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.6"
+ "version": "3.0.0",
+ "reference": "9.7",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -109,7 +113,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
@@ -119,10 +123,12 @@
"appConfig.properties.linuxFxVersion",
"appConfig.properties.phpVersion"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -155,3 +161,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-python-version-missing.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-python-version-missing.json
similarity index 69%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-python-version-missing.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-python-version-missing.json
index 4071d65a..f91727a4 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-python-version-missing.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-python-version-missing.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Ensure that \u0027Python version\u0027 is the latest, if used to run the web app",
- "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
- "rationale": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.",
- "impact": "If your app is written using version dependent features or libraries, they may not be available on the latest version.",
+ "displayName": "Ensure that 'Python version' is currently supported (if in use)",
+ "description": "Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for app services is recommended to avoid potential unpatched vulnerabilities.",
+ "rationale": "Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.",
+ "impact": "If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.",
"remediation": {
"text": null,
"code": {
@@ -20,13 +20,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources",
+ "https://devguide.python.org/versions/"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.7"
+ "version": "3.0.0",
+ "reference": "9.8",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -109,7 +113,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
@@ -119,10 +123,12 @@
"appConfig.properties.linuxFxVersion",
"appConfig.properties.pythonVersion"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -155,3 +161,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-tls-version-missing.json b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-tls-version-missing.json
similarity index 76%
rename from rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-tls-version-missing.json
rename to rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-tls-version-missing.json
index 34bcd811..054be676 100644
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-latest-tls-version-missing.json
+++ b/rules/findings/Azure/App Service/CIS3.0/azure-app-services-latest-tls-version-missing.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "App Services",
"serviceName": "Hosted Services",
- "displayName": "Update TLS version for Application service",
+ "displayName": "Ensure Web App is using the latest version of TLS encryption",
"description": "The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.",
"rationale": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.",
"impact": null,
@@ -20,13 +20,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-8-detect-and-disable-insecure-services-and-protocols",
+ "https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.9"
+ "version": "3.0.0",
+ "reference": "9.4",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -45,9 +49,9 @@
{
"conditions": [
[
- "appConfig.properties.minTlsVersion",
- "ne",
- "1.2"
+ "['1.2','1.3']",
+ "contains",
+ "appConfig.properties.minTlsVersion"
]
]
}
@@ -81,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -118,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-auth-disabled.json b/rules/findings/Azure/App Services/CIS1.4/azure-app-services-auth-disabled.json
deleted file mode 100644
index 6dcaaaf3..00000000
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-auth-disabled.json
+++ /dev/null
@@ -1,121 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "App Services",
- "serviceName": "Hosted Services",
- "displayName": "Enable Application service authentication",
- "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Microsoft Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_app_services",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "authSettings",
- "eq",
- ""
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Application Name",
- "kind": "Kind",
- "location": "Location",
- "properties.defaultHostName": "HostName",
- "properties.httpsOnly": "Https Only",
- "appConfig.properties.ftpsState": "SSL FTP",
- "appConfig.properties.minTlsVersion": "TLS Version",
- "appConfig.properties.siteAuthSettings.Enabled": "Site Auth Enabled"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Site Auth Enabled"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "app_service_site_auth_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-client-certificate-missing.json b/rules/findings/Azure/App Services/CIS1.4/azure-app-services-client-certificate-missing.json
deleted file mode 100644
index 45fdd6fd..00000000
--- a/rules/findings/Azure/App Services/CIS1.4/azure-app-services-client-certificate-missing.json
+++ /dev/null
@@ -1,121 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "App Services",
- "serviceName": "Hosted Services",
- "displayName": "Consider to configure mutual authentication on Application services",
- "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.4"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_app_services",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "properties.clientCertEnabled",
- "eq",
- "false"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Application Name",
- "kind": "Kind",
- "location": "Location",
- "properties.defaultHostName": "HostName",
- "properties.httpsOnly": "Https Only",
- "appConfig.properties.ftpsState": "SSL FTP",
- "appConfig.properties.minTlsVersion": "TLS Version",
- "properties.clientCertEnabled": "Client certificate enabled"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Client certificate enabled"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "app_service_missing_client_cert",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Application Insights/CIS3.0/azure-application-insights-not-configured.json b/rules/findings/Azure/Application Insights/CIS3.0/azure-application-insights-not-configured.json
new file mode 100644
index 00000000..27f936de
--- /dev/null
+++ b/rules/findings/Azure/Application Insights/CIS3.0/azure-application-insights-not-configured.json
@@ -0,0 +1,117 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Application Insights",
+ "serviceName": "Subscription",
+ "displayName": "Ensure Application Insights are Configured",
+ "description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.",
+ "rationale": "Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.",
+ "impact": "Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Navigate to Application Insights.
+ 2. Under the Basics tab within the PROJECT DETAILS section, select the Subscription.
+ 3. Select the Resource group.
+ 4. Within the INSTANCE DETAILS, enter a Name.
+ 5. Select a Region.
+ 6. Next to Resource Mode, select Workspace-based.
+ 7. Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace.
+ 8. Select the appropriate Log Analytics Workspace.
+ 9. Click Next:Tags >.
+ 10. Enter the appropriate Tags as Name, Value pairs.
+ 11. Click Next:Review+Create.
+ 12. Click Create.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.3.1",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_application_insights_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Application Insights/CIS3.0/azure-sku-basic-detected.json b/rules/findings/Azure/Application Insights/CIS3.0/azure-sku-basic-detected.json
new file mode 100644
index 00000000..675add4f
--- /dev/null
+++ b/rules/findings/Azure/Application Insights/CIS3.0/azure-sku-basic-detected.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Application Insights",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)",
+ "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.",
+ "rationale": "
+ Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.
+
+ The following resource types should use standard SKUs as a minimum.
+ * Public IP Addresses
+ * Network Load Balancers
+ * REDIS Cache
+ * SQL PaaS Databases
+ * VPN Gateways
+ ",
+ "impact": "
+ The impact of enforcing Standard SKU's is twofold
+ 1. There will be a cost increase
+ 2. The monitoring and service level agreements will be available and will support the production service.
+
+ All resources should be either tagged or in separate Management Groups/Subscriptions
+ ",
+ "remediation": {
+ "text": "Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://azure.microsoft.com/en-us/support/plans",
+ "https://azure.microsoft.com/en-us/support/plans/response/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.5",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_basic_sku_detected",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-keys-expiration-set.json b/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-keys-expiration-set.json
deleted file mode 100644
index 8a2394b9..00000000
--- a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-keys-expiration-set.json
+++ /dev/null
@@ -1,123 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure KeyVault",
- "serviceName": "Storage",
- "displayName": "Ensure that the expiration date is set on all keys",
- "description": "Ensure that all keys in Azure Key Vault have an expiration time set.",
- "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.",
- "impact": "Keys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Keys`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_keyvault",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "objects.keys",
- "ne"
- ],
- [
- "objects.keys.attributes.exp",
- "eq",
- ""
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "KeyVault",
- "objects.keys.attributes.enabled": "Enabled",
- "objects.keys.attributes.created": "Creation time",
- "objects.keys.attributes.updated": "Updated",
- "objects.keys.attributes.exp": "Expires"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Expires"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_key_vault_keys_notexpire",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-container-public-access.json b/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-container-public-access.json
deleted file mode 100644
index b8b57d10..00000000
--- a/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-container-public-access.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure Log Profile",
- "serviceName": "Subscription",
- "displayName": "Ensure the storage container storing the activity logs is not publicly accessible",
- "description": "The storage account container containing the activity log export should not be publicly accessible.",
- "rationale": "Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account\u0027s use or configuration.",
- "impact": "Configuring container `Access policy` to `private` will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Activity log`\r\n\t\t\t\t\t2. Select `Export`\r\n\t\t\t\t\t3. Select `Subscription`\r\n\t\t\t\t\t4. In section `Storage Account`, note the name of the Storage account\r\n\t\t\t\t\t5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.\r\n\t\t\t\t\t6. In right column, Click service `Storage Accounts` to access Storage account blade\r\n\t\t\t\t\t7. Click on the storage account name noted in step 4. This will open blade specific to that storage account\r\n\t\t\t\t\t8. In Section `Blob Service` click `Containers`. It will list all the containers in next blade\r\n\t\t\t\t\t9. Look for a record with container named as `insight-operational-logs`. Click ... from right most column to open Context menu\r\n\t\t\t\t\t10. Click `Access Policy` from Context Menu and ensure `Public Access Level` is set to `Private (no anonymous access)`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.3"
- }
- ],
- "level": "high",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "containers.blobname",
- "eq",
- "insights-operational-logs"
- ],
- [
- "containers.publicaccess",
- "eq",
- "container"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "storageaccount": "Storage account Name",
- "blobname": "Blob name",
- "publicaccess": "Public Access"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Public Access"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_log_profile_public_all",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-storage-account-byok-disabled.json b/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-storage-account-byok-disabled.json
deleted file mode 100644
index c486d73a..00000000
--- a/rules/findings/Azure/Azure LogProfile/CIS1.4/azure-log-profile-storage-account-byok-disabled.json
+++ /dev/null
@@ -1,117 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure Log Profile",
- "serviceName": "Subscription",
- "displayName": "Ensure the storage account containing the container with activity logs is encrypted using own key",
- "description": "The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).",
- "rationale": "Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.",
- "impact": null,
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Activity log`\r\n\t\t\t\t\t2. Select `Export`\r\n\t\t\t\t\t3. Select `Subscription`\r\n\t\t\t\t\t4. In section `Storage Account`, note the name of the Storage account\r\n\t\t\t\t\t5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.\r\n\t\t\t\t\t6. In right column, Click service `Storage Accounts` to access Storage account blade\r\n\t\t\t\t\t7. Click on the storage account name noted in step 4. This will open blade specific to that storage account\r\n\t\t\t\t\t8. In Section `settings` click `Encryption`. It will show `Storage service encryption` configuration pane.\r\n\t\t\t\t\t9. Ensure `Use your own key` is checked and `Key URI` is set.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.4"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_log_profile",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "storageAccountUsingOwnKey",
- "eq",
- "false"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Log Profile",
- "properties.retentionPolicy.enabled": "Retention Policy",
- "properties.retentionPolicy.days": "Retention Policy days",
- "storageAccountUsingOwnKey": "Encrypted Using Own Key"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Encrypted Using Own Key"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_log_profile_storage_byok_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Bastion/CIS3.0/azure-bastion-hosts-not-present.json b/rules/findings/Azure/Bastion/CIS3.0/azure-bastion-hosts-not-present.json
new file mode 100644
index 00000000..92ab202c
--- /dev/null
+++ b/rules/findings/Azure/Bastion/CIS3.0/azure-bastion-hosts-not-present.json
@@ -0,0 +1,123 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Bastion",
+ "serviceName": "Network",
+ "displayName": "Ensure an Azure Bastion Host Exists",
+ "description": "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.",
+ "rationale": "The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.",
+ "impact": "The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Click on Bastions
+ 2. Select the Subscription
+ 3. Select the Resource group
+ 4. Type a Name for the new Bastion host
+ 5. Select a Region
+ 6. Choose Standard next to Tier
+ 7. Use the slider to set the Instance count
+ 8. Select the Virtual network or Create new
+ 9. Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist.
+ 10. Selct the appropriate Public IP address option.
+ 11. If Create new is selected for the Public IP address option, provide a Public IP address name.
+ 12. If Use existing is selected for Public IP address option, select an IP address from Choose public IP address
+ 13. Click Next: Tags >
+ 14. Configure the appropriate Tags
+ 15. Click Next: Advanced >
+ 16. Select the appropriate Advanced options
+ 17. Click Next: Review + create >
+ 18. Click Create
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku",
+ "https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0",
+ "https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.1",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_lack_of_bastion_hosts",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-all-networks-enabled.json b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-all-networks-enabled.json
new file mode 100644
index 00000000..134206ba
--- /dev/null
+++ b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-all-networks-enabled.json
@@ -0,0 +1,121 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "CosmosDB",
+ "serviceName": "Databases",
+ "displayName": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks",
+ "description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
+ "rationale": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.",
+ "impact": "
+ *WARNING* : Failure to whitelist the correct networks will result in a connection loss.
+ *WARNING* : Changes to Cosmos DB firewalls may take up to 15 minutes to apply. Ensure that sufficient time is planned for remediation or changes to avoid disruption.
+ ",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Open the portal menu.
+ 2. Select the Azure Cosmos DB blade.
+ 3. Select a Cosmos DB account to audit.
+ 4. Select Networking.
+ 5. Under Public network access, select Selected networks.
+ 6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network.
+ 7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create.
+ 8. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+ "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint",
+ "https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show",
+ "https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list",
+ "https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.1",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "cosmosdb_all_networks_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-entraid-authentication-and-rbac-disabled.json b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-entraid-authentication-and-rbac-disabled.json
new file mode 100644
index 00000000..4336a39a
--- /dev/null
+++ b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-entraid-authentication-and-rbac-disabled.json
@@ -0,0 +1,101 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "CosmosDB",
+ "serviceName": "Databases",
+ "displayName": "Use Entra ID Client Authentication and Azure RBAC where possible",
+ "description": "Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC is better integrated with the rest of Azure.",
+ "rationale": "Entra ID client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. Entra ID does not require this.",
+ "impact": "",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-control-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.3",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "cosmosdb_entraid_authentication_and_rbac_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-private-endpoints-disabled.json b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-private-endpoints-disabled.json
new file mode 100644
index 00000000..0a9d0afb
--- /dev/null
+++ b/rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-private-endpoints-disabled.json
@@ -0,0 +1,125 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "CosmosDB",
+ "serviceName": "Databases",
+ "displayName": "Ensure That Private Endpoints Are Used Where Possible",
+ "description": "Private endpoints limit network traffic to approved sources.",
+ "rationale": "For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.",
+ "impact": "Only whitelisted services will have access to communicate with the Cosmos DB.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Open the portal menu.
+ 2. Select the Azure Cosmos DB blade.
+ 3. Select the Azure Cosmos DB account.
+ 4. Select Networking.
+ 5. Select Private access.
+ 6. Click + Private Endpoint.
+ 7. Provide a Name.
+ 8. Click Next.
+ 9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts.
+ 10. From the Resource drop down, select the Cosmos DB account.
+ 11. Click Next.
+ 12. Provide appropriate Virtual Network details.
+ 13. Click Next.
+ 14. Provide appropriate DNS details.
+ 15. Click Next.
+ 16. Optionally provide Tags.
+ 17. Click Next : Review + create.
+ 18. Click Create.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+ "https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal",
+ "https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest",
+ "https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.2",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "cosmosdb_private_endpoints_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-events-parameter-disabled.json b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-connection-events-parameter-disabled.json
similarity index 51%
rename from rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-events-parameter-disabled.json
rename to rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-connection-events-parameter-disabled.json
index 877e0c94..59914417 100644
--- a/rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-events-parameter-disabled.json
+++ b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-connection-events-parameter-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "MySQL Configuration",
"serviceName": "Database Configuration",
- "displayName": "Ensure server parameter \u0027audit_log_events\u0027 has \u0027CONNECTION\u0027 set for MySQL Database Server",
- "description": "Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
- "rationale": null,
- "impact": null,
+ "displayName": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server",
+ "description": "Set `audit_log_events` to include `CONNECTION` on `MySQL flexible servers`.",
+ "rationale": "Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
+ "impact": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.",
"remediation": {
"text": null,
"code": {
@@ -20,13 +20,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-audit-logs",
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit#configure-auditing-by-using-the-azure-cli"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.3"
+ "version": "3.0.0",
+ "reference": "5.3.4",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -34,31 +38,12 @@
],
"rule": {
- "path": "az_mysql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "audit_log_events"
- ],
- [
- "parameterValue",
- "notcontains",
- "CONNECTION"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -67,13 +52,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "serverName": "Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
"expandObject": null
},
"table": "asList",
@@ -81,15 +59,18 @@
],
"emphasis": [
- "Value"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -122,3 +103,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-fw-allow-all.json b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-disabled.json
similarity index 51%
rename from rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-fw-allow-all.json
rename to rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-disabled.json
index 246eb35b..3df54f33 100644
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-fw-allow-all.json
+++ b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-audit-log-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
- "serviceType": "Azure SQL Firewall",
- "serviceName": "Network",
- "displayName": "_ARG_0_ allow ingress from _ARG_1_ to _ARG_2_",
- "description": "_ARG_3_",
- "rationale": null,
- "impact": null,
+ "serviceType": "MySQL Server",
+ "serviceName": "Databases",
+ "displayName": "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server",
+ "description": "Enable `audit_log_enabled` on `MySQL flexible servers`.",
+ "rationale": "Enabling `audit_log_enabled` helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
+ "impact": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.",
"remediation": {
"text": null,
"code": {
@@ -20,13 +20,16 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure"
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit#configure-auditing-by-using-the-azure-cli"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "_ARG_4_",
- "reference": "_ARG_5_"
+ "version": "3.0.0",
+ "reference": "5.3.3",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -34,31 +37,12 @@
],
"rule": {
- "path": "az_sql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "fwRules.StartIpAddress",
- "eq",
- "_ARG_1_"
- ],
- [
- "fwRules.EndIpAddress",
- "eq",
- "_ARG_2_"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -81,13 +65,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -112,7 +98,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_sql_fw_rule_enabled",
+ "idSuffix": "mysql_audit_log_not_configured",
"notes": [
],
@@ -120,3 +106,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-latest-tls-version-disabled.json b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-latest-tls-version-disabled.json
similarity index 69%
rename from rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-latest-tls-version-disabled.json
rename to rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-latest-tls-version-disabled.json
index bfc3e0a0..3d09d0eb 100644
--- a/rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-latest-tls-version-disabled.json
+++ b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-latest-tls-version-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "MySQL Server",
"serviceName": "Databases",
- "displayName": "Ensure TLS Version is set to TLSV1.2 for MySQL Database Server",
- "description": "Ensure TLS version on MySQL flexible servers is set to the default value.",
+ "displayName": "Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server",
+ "description": "Ensure tls_version on MySQL flexible servers is set to use TLS version 1.2 or higher.",
"rationale": "TLS connectivity helps to provide a new layer of security, by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against \"man in the middle.\" attacks by encrypting the data stream between the server and application.",
"impact": null,
"remediation": {
@@ -20,13 +20,16 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl"
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking#tls-and-ssl",
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.4.2"
+ "version": "3.0.0",
+ "reference": "5.3.2",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -34,25 +37,12 @@
],
"rule": {
- "path": "az_mysql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "properties.minimalTlsVersion",
- "ne",
- "TLSV1.2"
- ]
- ]
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -75,13 +65,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -106,7 +98,7 @@
"onlyStatus": false
}
},
- "idSuffix": "mysql_tls_last_version_disabled",
+ "idSuffix": "mysql_old_tls_version_configured",
"notes": [
],
@@ -114,3 +106,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-enforcessl-disabled.json b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-secure-transport-disabled.json
similarity index 52%
rename from rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-enforcessl-disabled.json
rename to rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-secure-transport-disabled.json
index 69ad29b7..962769aa 100644
--- a/rules/findings/Azure/Databases/MySQL/CIS1.4/azure-mysql-enforcessl-disabled.json
+++ b/rules/findings/Azure/Databases/MySQL Databases/CIS3.0/azure-mysql-secure-transport-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "MySQL Server",
"serviceName": "Databases",
- "displayName": "Enable SSL connection on MYSQL Servers",
- "description": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
- "rationale": null,
+ "displayName": "Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server",
+ "description": "Enable `require_secure_transport` on `MySQL flexible servers`.",
+ "rationale": '`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.',
"impact": null,
"remediation": {
"text": null,
@@ -20,13 +20,15 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl"
+ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking#tls-and-ssl",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.4.1"
+ "version": "3.0.0",
+ "reference": "5.3.1",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -34,25 +36,12 @@
],
"rule": {
- "path": "az_mysql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "properties.sslEnforcement",
- "eq",
- "Disabled"
- ]
- ]
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -61,14 +50,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "name": "Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "properties.sslEnforcement": "SSL Enforcement",
- "properties.version": "MySQL version"
- },
"expandObject": null
},
"table": "asList",
@@ -76,15 +57,18 @@
],
"emphasis": [
- "SSL Enforcement"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -109,7 +93,7 @@
"onlyStatus": false
}
},
- "idSuffix": "mysql_enforcessl_disabled",
+ "idSuffix": "mysql_flexible_server_secure_transport_disabled",
"notes": [
],
@@ -117,3 +101,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-parameter-disabled.json b/rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-parameter-disabled.json
deleted file mode 100644
index 428c6de3..00000000
--- a/rules/findings/Azure/Databases/MySQL/CIS1.5/azure-mysql-audit-log-parameter-disabled.json
+++ /dev/null
@@ -1,124 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "MySQL Configuration",
- "serviceName": "Database Configuration",
- "displayName": "Ensure server parameter \u0027audit_log_enabled\u0027 is set to \u0027ON\u0027 for MySQL Database Server",
- "description": "Enable audit_log_enabled on MySQL Servers.",
- "rationale": "Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
- "impact": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization\u0027s needs before enabling.",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.4.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_mysql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "audit_log_enabled"
- ],
- [
- "parameterValue",
- "ne",
- "off"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "serverName": "Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Value"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "mysql_audit_log_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-allow-access-azure-services-enabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-allow-access-azure-services-enabled.json
similarity index 91%
rename from rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-allow-access-azure-services-enabled.json
rename to rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-allow-access-azure-services-enabled.json
index dc3337b0..62266056 100644
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-allow-access-azure-services-enabled.json
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-allow-access-azure-services-enabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "PostgreSQL Server",
"serviceName": "Databases",
- "displayName": "Ensure \u0027Allow access to Azure services\u0027 for PostgreSQL Database Server is disabled",
+ "displayName": "Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled",
"description": "Disable access from Azure services to PostgreSQL Database Server.",
"rationale": "If access from Azure services is enabled, the server\u0027s firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.",
"impact": null,
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.7"
+ "version": "3.0.0",
+ "reference": "5.2.5",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -90,13 +91,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -129,3 +132,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-connection-throttling-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-connection-throttling-disabled.json
new file mode 100644
index 00000000..97cf1f79
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-connection-throttling-disabled.json
@@ -0,0 +1,108 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "PostgreSQL Configuration",
+ "serviceName": "Database Configuration",
+ "displayName": "Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server",
+ "description": "Enable connection throttling on `PostgreSQL flexible servers`.",
+ "rationale": "Enabling connection throttling helps the PostgreSQL Database to Set the verbosity of logged messages. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "impact": null,
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/rest/api/postgresql/flexibleserver/configurations/list-by-server",
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-configure-server-parameters-using-portal",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-logging#configure-logging",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-get-specified-postgresql-configuration-by-name",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-updatae-specified-postgresql-configuration-by-name"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.3",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "postgresql_connection_throttling_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-infrastructure-encryption-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-infrastructure-double-encryption-disabled.json
similarity index 86%
rename from rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-infrastructure-encryption-disabled.json
rename to rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-infrastructure-double-encryption-disabled.json
index 2edabe34..5d72460d 100644
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-infrastructure-encryption-disabled.json
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-infrastructure-double-encryption-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,10 @@
"serviceType": "PostgreSQL Configuration",
"serviceName": "Database Configuration",
"displayName": "Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled",
- "description": "Consider to enable encryption at rest for PostgreSQL Databases.",
+ "description": "
+ Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.
+ *NOTE* : This recommendation currently only applies to Single Server, not Flexible Server. See additional information below for details about the planned retirement of Azure PostgreSQL Single Server.
+ ",
"rationale": "If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.",
"impact": "The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.",
"remediation": {
@@ -25,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.8"
+ "version": "3.0.0",
+ "reference": "5.2.8",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -75,13 +79,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -114,3 +120,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-checkpoints-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-checkpoints-disabled.json
new file mode 100644
index 00000000..419f7ce5
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-checkpoints-disabled.json
@@ -0,0 +1,108 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "PostgreSQL Configuration",
+ "serviceName": "Database Configuration",
+ "displayName": "Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server",
+ "description": "Enable `log_checkpoints` on `PostgreSQL flexible servers`.",
+ "rationale": "Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "impact": null,
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/rest/api/postgresql/flexibleserver/configurations/list-by-server",
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-configure-server-parameters-using-portal",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-logging#configure-logging",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-get-specified-postgresql-configuration-by-name",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-updatae-specified-postgresql-configuration-by-name"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "postgresql_log_checkpoints_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-connections-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-connections-disabled.json
similarity index 56%
rename from rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-connections-disabled.json
rename to rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-connections-disabled.json
index a5e5d031..ef0da7aa 100644
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-connections-disabled.json
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-connections-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "PostgreSQL Configuration",
"serviceName": "Database Configuration",
- "displayName": "Enable log_connections on PostgreSQL Servers",
- "description": "Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
- "rationale": null,
+ "displayName": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server",
+ "description": "Enable `log_connections` on `PostgreSQL single servers`.",
+ "rationale": "Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
"impact": null,
"remediation": {
"text": null,
@@ -25,40 +25,22 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.3"
+ "version": "3.0.0",
+ "reference": "5.2.6",
+ "profile": "Level 1"
}
],
"level": "medium",
"tags": [
-
+ "legacy"
],
"rule": {
- "path": "az_postgresql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "log_connections"
- ],
- [
- "parameterName",
- "eq",
- "off"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -67,13 +49,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "serverName": "Server Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
"expandObject": null
},
"table": "asList",
@@ -81,16 +56,18 @@
],
"emphasis": [
- "value",
- "Parameter Name"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +100,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-disconnections-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-disconnections-disabled.json
similarity index 66%
rename from rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-disconnections-disabled.json
rename to rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-disconnections-disabled.json
index fb851979..407963ab 100644
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-disconnections-disabled.json
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-disconnections-disabled.json
@@ -1,14 +1,17 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "PostgreSQL Configuration",
"serviceName": "Database Configuration",
- "displayName": "Ensure server parameter \u0027log_disconnections\u0027 is set to \u0027ON\u0027 for PostgreSQL Database Server",
- "description": "Enable `log_disconnections` on PostgreSQL Servers.",
+ "displayName": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server",
+ "description": "
+ Enable `log_disconnections` on `PostgreSQL Servers`.
+ *NOTE* : This recommendation currently only applies to Single Server, not Flexible Server. See additional information below for details about the planned retirement of Azure PostgreSQL Single Server.
+ ",
"rationale": "Enabling `log_disconnections` helps PostgreSQL Database to `Logs end of a session`, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
- "impact": null,
+ "impact": "Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially.",
"remediation": {
"text": null,
"code": {
@@ -27,8 +30,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.4"
+ "version": "3.0.0",
+ "reference": "5.2.7",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -36,31 +40,12 @@
],
"rule": {
- "path": "az_postgresql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "log_disconnections"
- ],
- [
- "parameterValue",
- "eq",
- "off"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -69,13 +54,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "serverName": "Server Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
"expandObject": null
},
"table": "asList",
@@ -83,16 +61,18 @@
],
"emphasis": [
- "value",
- "Parameter Name"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -125,3 +105,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-retention-days.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-low-retention-days.json
similarity index 57%
rename from rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-retention-days.json
rename to rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-low-retention-days.json
index dec3c13d..9c16f55e 100644
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-retention-days.json
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-log-low-retention-days.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "PostgreSQL Configuration",
"serviceName": "Database Configuration",
- "displayName": "Ensure server parameter \u0027log_retention_days\u0027 is greater than 3 days for PostgreSQL Database Server",
- "description": "Enable `log_retention_days` on PostgreSQL Servers.",
- "rationale": "Enabling `log_retention_days` helps PostgreSQL Database to `Sets number of days a log file is retained` which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
- "impact": null,
+ "displayName": "Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server",
+ "description": "Ensure `logfiles.retention_days` on `PostgreSQL flexible servers` is set to an appropriate value.",
+ "rationale": "Configuring logfiles.retention_days determines the duration in days that Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "impact": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.",
"remediation": {
"text": null,
"code": {
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.6"
+ "version": "3.0.0",
+ "reference": "5.2.4",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -36,31 +37,12 @@
],
"rule": {
- "path": "az_postgresql_servers",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "log_retention_days"
- ],
- [
- "parameterValue",
- "le",
- "3"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -69,13 +51,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "serverName": "Server Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
"expandObject": null
},
"table": "asList",
@@ -83,16 +58,18 @@
],
"emphasis": [
- "value",
- "Parameter Name"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -125,3 +102,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-secure-transport-disabled.json b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-secure-transport-disabled.json
new file mode 100644
index 00000000..93698934
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL Databases/CIS3.0/azure-postgresql-secure-transport-disabled.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "PostgreSQL Server",
+ "serviceName": "Databases",
+ "displayName": "Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server",
+ "description": "Enable `require_secure_transport` on `PostgreSQL flexible servers`.",
+ "rationale": '`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.',
+ "impact": null,
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-ssl-tls",
+ "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-get-specified-postgresql-configuration-by-name",
+ "https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-updatae-specified-postgresql-configuration-by-name",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.1",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "postgresql_flexible_server_secure_transport_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-connection-throttling-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-connection-throttling-disabled.json
deleted file mode 100644
index 80c163ea..00000000
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-connection-throttling-disabled.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "PostgreSQL Configuration",
- "serviceName": "Database Configuration",
- "displayName": "Enable connection_throttling on PostgreSQL Servers",
- "description": "Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages which in turn generates query and error logs with respect to concurrent connections, that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_postgresql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "connection_throttling"
- ],
- [
- "parameterValue",
- "eq",
- "off"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "serverName": "Server Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "value",
- "Parameter Name"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "postgresql_conn_throttling_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-enforcessl-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-enforcessl-disabled.json
deleted file mode 100644
index e1974e1e..00000000
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-enforcessl-disabled.json
+++ /dev/null
@@ -1,119 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "PostgreSQL Server",
- "serviceName": "Databases",
- "displayName": "Enable SSL connection on PostgreSQL Servers",
- "description": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal#prerequisites"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_postgresql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "properties.sslEnforcement",
- "eq",
- "Disabled"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "serverName": "Server Name",
- "serverLocation": "Location",
- "resourceGroupName": "Resource group name",
- "fullyQualifiedDomainName": "FQDN",
- "sslEnforcement": "SSL Enforcement",
- "version": "PostgreSQL version"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "SSL Enforcement"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "postgresql_enforcessl_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-checkpoints-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-checkpoints-disabled.json
deleted file mode 100644
index 624ce4fb..00000000
--- a/rules/findings/Azure/Databases/PostgreSQL/CIS1.4/azure-postgresql-log-checkpoints-disabled.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "PostgreSQL Configuration",
- "serviceName": "Database Configuration",
- "displayName": "Enable log_checkpoints on PostgreSQL Servers",
- "description": "Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.2"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_postgresql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "parameterName",
- "eq",
- "log_checkpoints"
- ],
- [
- "parameterValue",
- "eq",
- "off"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "serverName": "Server Name",
- "parameterName": "Parameter Name",
- "parameterDescription": "Description",
- "parameterValue": "value",
- "parameterDefaultValue": "Default value"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "value",
- "Parameter Name"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "postgresql_log_checkpoints_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-data-encryption-disabled.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-database-data-encryption-disabled.json
similarity index 90%
rename from rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-data-encryption-disabled.json
rename to rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-database-data-encryption-disabled.json
index 403ca0b3..6b7e5aec 100644
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-data-encryption-disabled.json
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-database-data-encryption-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "SQL Server",
"serviceName": "Databases",
- "displayName": "Ensure that \u0027Data encryption\u0027 is set to \u0027On\u0027 on a SQL Database",
+ "displayName": "Ensure that 'Data encryption' is set to 'On' on a SQL Database",
"description": "Enable Transparent Data Encryption on every SQL server.",
"rationale": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.",
"impact": null,
@@ -26,8 +26,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.2"
+ "version": "3.0.0",
+ "reference": "5.1.5",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -82,13 +83,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -121,3 +124,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-fw-allow-all.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-fw-allow-all.json
new file mode 100644
index 00000000..b5fb0559
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-fw-allow-all.json
@@ -0,0 +1,146 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure SQL Firewall",
+ "serviceName": "Network",
+ "displayName": "Ensure no Azure SQL Databases allow ingress from _ARG_0_",
+ "description": "_ARG_2_",
+ "rationale": "
+ Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.
+ By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.
+ Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.
+ If Allow Azure services and resources to access this server is 'Checked', this will allow resources outside of the subscription/tenant/organization boundary, within any region of Azure, to effectively bypass the defined SQL Server Network ACL on public endpoint. A malicious attacker can successfully launch a SQL server password bruteforce attack by creating a virtual machine in any Azure subscription/region, from outside of the subscription boundary where the SQL Server is residing.
+ ",
+ "impact": "Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to SQL servers
+ 2. For each SQL server
+ 3. Under Security, click Networking
+ 4. Uncheck Allow Azure services and resources to access this server
+ 5. Set firewall rules to limit access to only authorized connections
+ 6. Click Save
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017",
+ "https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure",
+ "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls",
+ "https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql#allow-azure-services"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "_ARG_4_",
+ "reference": "_ARG_5_",
+ "profile": "_ARG_6_"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "az_sql_servers",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "fwRules.StartIpAddress",
+ "eq",
+ "_ARG_0_"
+ ],
+ [
+ "fwRules.EndIpAddress",
+ "eq",
+ "_ARG_1_"
+ ]
+ ],
+ "operator": "and"
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_permissive_sql_fw_rule_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-disabled.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-disabled.json
similarity index 87%
rename from rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-disabled.json
rename to rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-disabled.json
index d15a9712..b21fd107 100644
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-disabled.json
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "SQL Server",
"serviceName": "Databases",
- "displayName": "Enable auditing on SQL Servers",
- "description": "Auditing for Azure SQL Database tracks database events and writes them to an audit log. It could be used to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
+ "displayName": "Ensure that 'Auditing' is set to 'On'",
+ "description": "Enable auditing on SQL Servers.",
"rationale": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. \r\n\t\t\t\t Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
"impact": null,
"remediation": {
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.1"
+ "version": "3.0.0",
+ "reference": "5.1.1",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -83,11 +84,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -120,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-retention.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-retention.json
similarity index 84%
rename from rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-retention.json
rename to rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-retention.json
index 68e137a4..e558ae95 100644
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-auditing-retention.json
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-auditing-retention.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "SQL Server",
"serviceName": "Databases",
- "displayName": "SQL Server Audit Retention should be configured to be greater than 90 days",
- "description": "The SQL Server Audit feature lets administrators to create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. Audited events can be written to the event logs or to audit files.",
+ "displayName": "Ensure that 'Auditing' Retention is 'greater than 90 days'",
+ "description": "SQL Server Audit Retention should be configured to be greater than 90 days.",
"rationale": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.",
"impact": null,
"remediation": {
@@ -25,8 +25,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.3"
+ "version": "3.0.0",
+ "reference": "5.1.6",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -89,11 +90,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -126,3 +131,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-entra-id-auth-disabled.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-entra-id-auth-disabled.json
new file mode 100644
index 00000000..6b816ace
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-entra-id-auth-disabled.json
@@ -0,0 +1,143 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "SQL Server",
+ "serviceName": "Databases",
+ "displayName": "Ensure that Microsoft Entra authentication is Configured for SQL Servers",
+ "description": "Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.",
+ "rationale": "
+ Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.
+ * It provides an alternative to SQL Server authentication.
+ * Helps stop the proliferation of user identities across database servers.
+ * Allows password rotation in a single place.
+ * Customers can manage database permissions using external (Entra ID) groups.
+ * It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.
+ * Entra ID authentication uses contained database users to authenticate identities at the database level.
+ * Entra ID supports token-based authentication for applications connecting to SQL Database.
+ * Entra ID authentication supports ADFS (domain federation) or native user/password authentication for a local Active Directory without domain synchronization.
+ * Entra ID supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.
+ ",
+ "impact": "This will create administrative overhead with user account and permission management. For further security on these administrative accounts, you may want to consider licensing which supports features like Multi Factor Authentication.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to SQL servers
+ 2. For each SQL server, under Settings, click Microsoft Entra ID
+ 3. Click Set admin
+ 4. Select an admin
+ 5. Click Select
+ 6. Click Save
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.4",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "az_sql_servers",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "sqlAd.enabled",
+ "eq",
+ "False"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+ "name": "Server Name",
+ "location": "Location",
+ "resourceGroupName": "Resource group name",
+ "fqdn": "FQDN",
+ "sqlAd.enabled": "Active Directory Admin enabled"
+ },
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ "Active Directory Admin enabled"
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "sql_server_entra_id_authentication_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-public-network-access-enabled.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-public-network-access-enabled.json
new file mode 100644
index 00000000..c4e533e7
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-public-network-access-enabled.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "SQL Server",
+ "serviceName": "Databases",
+ "displayName": "Ensure Public Network Access is Disabled",
+ "description": "Disabling public network access restricts the service from accessing public networks.",
+ "rationale": "A secure network architecture requires carefully constructed network segmentation. Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.",
+ "impact": "Some architectural consideration may be necessary to ensure that required network connectivity is still made available. No additional cost or performance impact is required to deploy this recommendation.",
+ "remediation": {
+ "text": "
+ ###### From Azure Portal
+ 1. Go to SQL servers.
+ 2. For each SQL server, under Security, click Networking.
+ 3. Set Public network access to Disable.
+ 4. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls",
+ "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#deny-public-network-access"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.7",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "sql_server_public_network_access_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-tdp-own-key-enabled.json b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-tde-protector-lack-cmk-encryption.json
similarity index 65%
rename from rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-tdp-own-key-enabled.json
rename to rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-tde-protector-lack-cmk-encryption.json
index 7c2e76bb..d6ed41de 100644
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-tdp-own-key-enabled.json
+++ b/rules/findings/Azure/Databases/SQL Databases/CIS3.0/azure-sql-server-tde-protector-lack-cmk-encryption.json
@@ -1,13 +1,17 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "SQL Server",
"serviceName": "Databases",
- "displayName": "Ensure SQL server\u0027s TDE protector is encrypted with Customer-managed key",
- "description": "TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.\r\n\t\t\t\t\tWith TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.\r\n\t\t\t\t\tBased on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).",
- "rationale": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.",
+ "displayName": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key",
+ "description": '
+ Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
+ With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.
+ Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
+ ',
+ "rationale": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.",
"impact": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.\r\n\t\t\t\t \r\n\t\t\t\t When deploying Customer Managed Keys it is also prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore E.G. Azure Keyvault).\r\n\t\t\t\t \r\n\t\t\t\t As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add on to their service.",
"remediation": {
"text": null,
@@ -25,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.6"
+ "version": "3.0.0",
+ "reference": "5.1.3",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -99,11 +104,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -128,7 +137,7 @@
"onlyStatus": false
}
},
- "idSuffix": "sql_server_tdp_own_key_disabled",
+ "idSuffix": "sql_server_tde_lack_cmk_encryption",
"notes": [
],
@@ -136,3 +145,4 @@
]
}
+
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-active-directory-admin-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-active-directory-admin-disabled.json
deleted file mode 100644
index 57e5d376..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-active-directory-admin-disabled.json
+++ /dev/null
@@ -1,118 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Use Microsoft Entra ID Authentication for authentication with SQL Database",
- "description": "Microsoft Entra ID authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse using identities in Microsoft Entra ID (Azure Active Directory). With Microsoft Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "sqlAd.enabled",
- "eq",
- "False"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "sqlAd.enabled": "Active Directory Admin enabled"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Active Directory Admin enabled"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_ad_admin_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-advanced-threat-protection-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-advanced-threat-protection-disabled.json
deleted file mode 100644
index 67db1ce2..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-advanced-threat-protection-disabled.json
+++ /dev/null
@@ -1,120 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Ensure that Advanced Threat Protection (ATP) on a SQL server is set to \u0027Enabled\u0027",
- "description": "Advanced data security is a unified package for advanced SQL security capabilities. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.",
- "rationale": "Microsoft Defender for Cloud for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender for Cloud is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.",
- "impact": "Microsoft Defender for Cloud for SQL is a paid feature and will incur additional cost for each SQL server.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `SQL servers`.\r\n\t\t\t\t\t2. For each server instance\r\n\t\t\t\t\t3. Click on `Microsoft Defender for Cloud` for SQL\r\n\t\t\t\t\t4. Set Microsoft Defender for Cloud for SQL to `On`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql",
- "https://docs.microsoft.com/cs-cz/powershell/module/azurerm.sql/get-azurermsqlserverthreatdetectionpolicy?view=azurermps-5.2.0",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-3-monitor-for-unauthorized-transfer-of-sensitive-data"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "threatDetectionPolicy",
- "eq",
- "Disabled"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "tdpSettings.enabled": "Threat Detection policy enabled"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Threat Detection policy enabled"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_tdp_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-disabled.json
deleted file mode 100644
index e19c78d8..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-disabled.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account",
- "description": "Consider to enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
- "rationale": "Enabling Microsoft Defender for Cloud for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports. \r\n\t\t\t\t The Vulnerability Assessment service scans databases for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessivepermissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.",
- "impact": "Enabling the **Microsoft Defender for Cloud** for SQL features will incur additional costs for each SQL server.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `SQL servers`.\r\n\t\t\t\t\t2. Select a server instance\r\n\t\t\t\t\t3. Click on `Microsoft Defender for Cloud`\r\n\t\t\t\t\t4. Select `Enable Microsoft Defender for Cloud for SQL`\r\n\t\t\t\t\t5. In Section `Vulnerability Assessment Settings`, Click `Storage Account`\r\n\t\t\t\t\t6. Choose Storage Account (Existing or Create New). Click `Ok`\r\n\t\t\t\t\t7. Click `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
- "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.2"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "vaConfig.properties.storageContainerPath",
- "ne",
- "null"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": {
- "Microsoft Defender for Cloud": "Vulnerability Assessment",
- "Status": "Not configured"
- },
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "vaConfig.properties.recurringScans.isEnabled": "VA Enabled"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "VA Enabled"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_va_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json
deleted file mode 100644
index ff106130..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Ensure that VA setting \u0027Also send email notifications to admins and subscription owners\u0027 is set for a SQL server",
- "description": "Enable Vulnerability Assessment (VA) setting \u0027Also send email notifications to admins and subscription owners\u0027.",
- "rationale": "VA scan reports and alerts will be sent to admins and subscription owners by enabling setting \u0027Also send email notifications to admins and subscription owners\u0027. This may help in reducing time required for identifying risks and taking corrective measures.",
- "impact": "Enabling the **Microsoft Defender for Cloud** for SQL features will incur additional costs for each SQL server.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `SQL servers`.\r\n\t\t\t\t\t2. Select a server instance\r\n\t\t\t\t\t3. Click on `Microsoft Defender for Cloud`\r\n\t\t\t\t\t4. Ensure that `Microsoft Defender for Cloud for SQL` is set to `Enabled`\r\n\t\t\t\t\t5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.\r\n\t\t\t\t\t6. Check/enable \"Also send email notifications to admins and subscription owners\"\r\n\t\t\t\t\t7. Click `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
- "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "vaConfig.properties.recurringScans.emailSubscriptionAdmins",
- "ne",
- "true"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "vaConfig.properties.recurringScans.emailSubscriptionAdmins": "SendTo"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "SendTo"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_va_send_reports_admins_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-send-reports-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-send-reports-disabled.json
deleted file mode 100644
index e07a6384..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-assessments-send-reports-disabled.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Ensure that VA setting Send scan reports to is configured for a SQL server",
- "description": "Configure \u0027Send scan reports to\u0027 with email ids of concerned data owners/stakeholders for a critical SQL servers.",
- "rationale": "Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at \u0027Send scan reports to\u0027. This may help in reducing time required for identifying risks and taking corrective measures.",
- "impact": "Enabling the **Microsoft Defender for Cloud** for SQL features will incur additional costs for each SQL server.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `SQL servers`.\r\n\t\t\t\t\t2. Select a server instance\r\n\t\t\t\t\t3. Click on `Microsoft Defender for Cloud`\r\n\t\t\t\t\t4. Ensure that `Microsoft Defender for Cloud for SQL` is set to `Enabled`\r\n\t\t\t\t\t5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.\r\n\t\t\t\t\t6. In Section `Vulnerability Assessment Settings`, Ensure Send scan reports to is not empty",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
- "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.4"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "vaConfig.properties.recurringScans.emails.Count",
- "eq",
- "0"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "vaConfig.properties.recurringScans.emails": "SendTo"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "SendTo"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_va_send_reports_empty",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-periodic-assessments-disabled.json b/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-periodic-assessments-disabled.json
deleted file mode 100644
index 1bc6bddd..00000000
--- a/rules/findings/Azure/Databases/SQL Server/CIS1.4/azure-sql-server-vulnerability-periodic-assessments-disabled.json
+++ /dev/null
@@ -1,128 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "SQL Server",
- "serviceName": "Databases",
- "displayName": "Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server",
- "description": "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.",
- "rationale": "VA setting \u0027Periodic recurring scans\u0027 schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.",
- "impact": "Enabling the **Microsoft Defender for Cloud** for SQL features will incur additional costs for each SQL server.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `SQL servers`.\r\n\t\t\t\t\t2. Select a server instance\r\n\t\t\t\t\t3. Click on `Microsoft Defender for Cloud`\r\n\t\t\t\t\t4. Ensure that `Microsoft Defender for Cloud for SQL` is set to `Enabled`\r\n\t\t\t\t\t5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.\r\n\t\t\t\t\t6. In Section `Vulnerability Assessment Settings`, Ensure Periodic recurring scans is set to `On`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
- "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_sql_servers",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "vaConfig.properties.recurringScans.isEnabled",
- "eq",
- "False"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Server Name",
- "location": "Location",
- "resourceGroupName": "Resource group name",
- "fqdn": "FQDN",
- "vaConfig.properties.recurringScans.isEnabled": "Recurring Scans"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "resourceGroupName",
- "fqdn",
- "vaConfig"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sql_server_va_periodic_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Defender/CIS1.4/cloud-app-security-missing-security-center-integration.json b/rules/findings/Azure/Defender/CIS1.4/cloud-app-security-missing-security-center-integration.json
deleted file mode 100644
index dc285def..00000000
--- a/rules/findings/Azure/Defender/CIS1.4/cloud-app-security-missing-security-center-integration.json
+++ /dev/null
@@ -1,124 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Microsoft Defender for Cloud",
- "serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud Apps (MDA) integration with Microsoft Defender for Cloud is selected",
- "description": "This setting enables Microsoft Defender for Cloud Apps (MDA) integration with Microsoft Defender for Cloud.",
- "rationale": "Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, subscription must have a Cloud App Security license. \r\n\t\t\t\t MCAS works only with Standard Tier subscriptions.",
- "impact": "MCAS works with Standard pricing tier Subscription.Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Pricing \u0026 settings` blade\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Threat Detection` blade\r\n\t\t\t\t\t5. Check/Enable option `Allow Microsoft Cloud App Security to access my data`\r\n\t\t\t\t\t6. Select `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview",
- "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list",
- "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-8-secure-user-access-to-legacy-applications"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.10"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_security_center_config",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "name",
- "eq",
- "MCAS"
- ],
- [
- "properties.pricingTier",
- "eq",
- "Free"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Resource Name",
- "properties.pricingTier": "Pricing Tier"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Pricing Tier"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "cloud_app_security_missing_sec_center_integration",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Defender/CIS1.4/windows-defender-missing-security-center-integration.json b/rules/findings/Azure/Defender/CIS1.4/windows-defender-missing-security-center-integration.json
deleted file mode 100644
index 3dee32f0..00000000
--- a/rules/findings/Azure/Defender/CIS1.4/windows-defender-missing-security-center-integration.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Microsoft Defender for Cloud",
- "serviceName": "Subscription",
- "displayName": "Ensure that Windows Defender ATP (WDATP) integration with Microsoft Defender for Cloud is selected",
- "description": "This setting enables Windows Defender ATP (WDATP) integration with Microsoft Defender for Cloud.",
- "rationale": "WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, detect and respond to advanced attacks on Windows server endpoints monitored by Microsoft Defender for Cloud. Windows Defender ATP in Microsoft Defender for Cloud supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1 operating systems in a Standard service subscription. \r\n\t\t\t\t WDATP works only with Standard Tier subscriptions.",
- "impact": "WDATP works with Standard pricing tier Subscription.Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Security policy` blade\r\n\t\t\t\t\t3. Click on `Edit Settings` to alter the the security policy for a subscription\r\n\t\t\t\t\t4. Select the `Threat Detection` blade\r\n\t\t\t\t\t5. Check/Enable option `Allow Windows Defender ATP to access my data`\r\n\t\t\t\t\t6. Select `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-in/azure/security-center/security-center-wdatp",
- "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list",
- "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-2-use-centrally-managed-modern-anti-malware-software"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.9"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_security_center_config",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "name",
- "eq",
- "WDATP"
- ],
- [
- "properties.pricingTier",
- "eq",
- "Free"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Resource Name",
- "properties.pricingTier": "Pricing Tier"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Pricing Tier"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "windows_defender_atp_missing_integration",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-sql-database-protection.json b/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-sql-database-protection.json
deleted file mode 100644
index 8fc43b05..00000000
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-sql-database-protection.json
+++ /dev/null
@@ -1,123 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Microsoft Defender for Cloud",
- "serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for Databases Is Set To \u0027On\u0027",
- "description": "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.",
- "rationale": "Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).",
- "impact": "Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Environment settings`\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Defender plans` blade\r\n\t\t\t\t\t5. Review the chosen pricing tier. For the `Databases` resource type the radial button should be set to `On`\r\n\t\t\t\t\t6. Select `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql",
- "https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections",
- "https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_pricing_tier",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "name",
- "eq",
- "_ARG_0_"
- ],
- [
- "properties.pricingTier",
- "eq",
- "Free"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Resource Name",
- "properties.pricingTier": "Pricing Tier"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Pricing Tier"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_defender_missing_sql_database_protection",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-agentless-container-vulnerability-assessment-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-container-vulnerability-assessment-disabled.json
new file mode 100644
index 00000000..0efb8337
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-container-vulnerability-assessment-disabled.json
@@ -0,0 +1,123 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that 'Agentless container vulnerability assessment' component status is 'On'",
+ "description": "Enable automatic vulnerability management for images stored in ACR or running in AKS clusters.",
+ "rationale": "Agentless vulnerability scanning will examine container images - whether running or in storage - for vulnerable configurations.",
+ "impact": "
+ Agentless container vulnerability assessment requires licensing and is included in:
+ * Defender CSPM
+ * Defender for Containers plans.
+ ",
+ "remediation": {
+ "text": "###### Audit from Azure Portal
+ 1. From the Azure Portal Home page, select Microsoft Defender for Cloud
+ 2. Under Management select Environment Settings
+ 3. Select a subscription
+ 4. Under Settings > Defender Plans, click Settings & monitoring
+ 5. Locate the row for Agentless container vulnerability assessment
+ 6. Select On
+ 7. Click Continue in the top left
+
+ Repeat the above for any additional subscriptions.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction",
+ "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.4.3",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_missing_agentless_container_vulnerability",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-agentless-discovery-for-kubernetes-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-discovery-for-kubernetes-disabled.json
new file mode 100644
index 00000000..3c35ca49
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-discovery-for-kubernetes-disabled.json
@@ -0,0 +1,123 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that 'Agentless discovery for Kubernetes' component status 'On'",
+ "description": "Enable automatic discovery and configuration scanning of the Microsoft Kubernetes clusters.",
+ "rationale": "As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.",
+ "impact": "
+ Agentless discovery for Kubernetes requires licensing and is included in:
+ * Defender CSPM
+ * Defender for Containers plans.
+ ",
+ "remediation": {
+ "text": "###### Audit from Azure Portal
+ 1. From the Azure Portal Home page, select Microsoft Defender for Cloud
+ 2. Under Management select Environment Settings
+ 3. Select a subscription
+ 4. Under Settings > Defender Plans, click Settings & monitoring
+ 5. Locate the row for Agentless discovery for Kubernetes
+ 6. Select On
+ 7. Click Continue in the top left
+
+ Repeat the above for any additional subscriptions.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction",
+ "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.4.2",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_missing_agentless_discovery_for_kubernetes",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-antimalware-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-scanning-for-machines-disabled.json
similarity index 64%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-antimalware-disabled.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-agentless-scanning-for-machines-disabled.json
index 4a59a2d1..64b98ef6 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-antimalware-disabled.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-agentless-scanning-for-machines-disabled.json
@@ -1,14 +1,18 @@
-{
+{
"args": [
],
"provider": "Azure",
- "serviceType": "Azure Virtual Machines",
- "serviceName": "Compute",
- "displayName": "Install endpoint protection for all virtual machines",
- "description": "Installing endpoint protection systems (like Antimalware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on Azure systems",
- "rationale": null,
- "impact": null,
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that 'Agentless scanning for machines' component status is set to 'On'",
+ "description": "Using disk snapshots, the agentless scanner scans for installed software, vulnerabilities, and plain text secrets.",
+ "rationale": "The Microsoft Defender for Cloud agentless machine scanner provides threat detection, vulnerability detection, and discovery of sensitive information.",
+ "impact": "
+ Agentless scanning for machines requires licensing and is included in these plans:
+ * Defender CSPM
+ * Defender for Servers plan 2
+ ",
"remediation": {
"text": null,
"code": {
@@ -25,8 +29,10 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.6"
+ "version": "3.0.0",
+ "reference": "3.1.3.4",
+ "profile":"Level 2"
+
}
],
"level": "medium",
@@ -34,25 +40,12 @@
],
"rule": {
- "path": "az_virtual_machines",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "isAVAgentInstalled",
- "eq",
- "false"
- ]
- ]
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -79,11 +72,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -108,7 +105,7 @@
"onlyStatus": false
}
},
- "idSuffix": "az_vm_antimalware_disabled",
+ "idSuffix": "az_agentless_scanning_for_machines_disabled",
"notes": [
],
@@ -116,3 +113,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-automatic-vm-agent-provisioning-policy-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-automatic-vm-agent-provisioning-policy-disabled.json
similarity index 68%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-automatic-vm-agent-provisioning-policy-disabled.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-automatic-vm-agent-provisioning-policy-disabled.json
index 64ab2e68..461459ef 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-automatic-vm-agent-provisioning-policy-disabled.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-automatic-vm-agent-provisioning-policy-disabled.json
@@ -1,13 +1,15 @@
-{
+{
"args": [
],
"provider": "Azure",
- "serviceType": "Subscription Policies",
+ "serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that \u0027Automatic provisioning of monitoring agent\u0027 is set to \u0027On\u0027",
- "description": "Consider to enable automatic provisioning of the monitoring agent to collect security data.",
- "rationale": "When `Automatic provisioning of monitoring agent` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
+ "displayName": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'",
+ "description": "Enable automatic provisioning of the monitoring agent to collect security data.
+ *DEPRECATION PLANNED:* The Log Analytics Agent is slated for deprecation in August 2024. The Microsoft Defender for Endpoint agent, in tandem with new agentless capabilities will be providing replacement functionality. More detail is available here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoftdefender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341.
+ ",
+ "rationale": "When `Log Analytics agent for Azure VMs` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
"impact": null,
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Pricing \u0026 settings` blade\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Click on `Data Collection`\r\n\t\t\t\t\t5. Set `Automatic provisioning` to `On`\r\n\t\t\t\t\t6. Select `Save`",
@@ -31,8 +33,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.11"
+ "version": "3.0.0",
+ "reference": "3.1.1.1",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -81,13 +84,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -120,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-cloud-security-benchmark-policies-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-cloud-security-benchmark-policies-disabled.json
new file mode 100644
index 00000000..fa853816
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-cloud-security-benchmark-policies-disabled.json
@@ -0,0 +1,109 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'",
+ "description": "The Microsoft Cloud Security Benchmark (or `MCSB`) is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type Disabled, it is not evaluated and may prevent administrators from being informed of valuable security recommendations.",
+ "rationale":'A security policy defines the desired configuration of resources in your environment and helps ensure compliance with company or regulatory security requirements. The MCSB Policy Initiative a set of security recommendations based on best practices and is associated with every subscription by default. When a policy `Effect` is set to `Audit`, policies in the MCSB ensure that Defender for Cloud evaluates relevant resources for supported recommendations. To ensure that policies within the MCSB are not being missed when the Policy Initiative is evaluated, none of the policies should have an Effect of `Disabled`.',
+ "impact": "Policies within the MCSB default to an effect of `Audit` and will evaluate - but not enforce - policy recommendations. Ensuring these policies are set to `Audit` simply ensures that the evaluation occurs to allow administrators to understand where an improvement may be possible. Administrators will need to determine if the recommendations are relevant and desirable for their environment, then manually take action to resolve the status if desired.",
+ "remediation": {
+ "text":'Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.' ,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get",
+ "https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create",
+ "https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.11",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_recommendation_apply_system_updates_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-defender-easm-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-easm-disabled.json
new file mode 100644
index 00000000..d482bc2c
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-easm-disabled.json
@@ -0,0 +1,115 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Subscription Security",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled",
+ "description": "
+ An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect.
+ This tool can be configured to scan your organization's online infrastructure such as specified domains, hosts, CIDR blocks, and SSL certificates, and store them in an Inventory. Inventory items can be added, reviewed, approved, and removed, and may contain enrichments (`insights`) and additional information collected from the tool's different scan engines and open-source intelligence sources.
+ A Defender EASM workspace will generate an Inventory of publicly exposed assets by crawling and scanning the internet using Seeds you provide when setting up the tool. Seeds can be FQDNs, IP CIDR blocks, and WHOIS records.
+ Defender EASM will generate Insights within 24-48 hours after Seeds are provided, and these insights include vulnerability data (CVEs), ports and protocols, and weak or expired SSL certificates that could be used by an attacker for reconnaissance or exploitation.
+ Results are classified High/Medium/Low and some of them include proposed mitigations.
+ ",
+ "rationale": "This tool can monitor the externally exposed resources of an organization, provide valuable insights, and export these findings in a variety of formats (including CSV) for use in vulnerability management operations and red/purple team exercises.",
+ "impact": '
+ Microsoft Defender EASM workspaces are currently available as Azure Resources with a 30-day free trial period but can quickly accrue significant charges. The costs are calculated daily as (Number of "billable" inventory items) x (item cost per day; approximately: $0.017).
+ Estimated cost is not provided within the tool, and users are strongly advised to contact their Microsoft sales representative for pricing and set a calendar reminder for the end of the trial period.
+ For an EASM workspace having an Inventory of 5k-10k billable items (IP addresses, hostnames, SSL certificates, etc) a typical cost might be approximately $85-170 per day or $2500-5000 USD/month at the time of publication. If the workspace is deleted by the last day of a free trial period, no charges are billed.
+ ',
+ "remediation": {
+ "text": "To begin remediation, a Microsoft Defender EASM workspace must be created. The resources and inventory items added to this workspace will depend on your environment. ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/external-attack-surface-management/",
+ "https://learn.microsoft.com/en-us/azure/external-attack-surface-management/deploying-the-defender-easm-azure-resource",
+ "https://www.microsoft.com/en-us/security/blog/2022/08/02/microsoft-announces-new-solutions-for-threat-intelligence-and-attack-surface-management/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.15",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_easm_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-defender-for-mcas-enabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-for-mcas-enabled.json
new file mode 100644
index 00000000..15aa8068
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-for-mcas-enabled.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected",
+ "description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
+ "rationale": "Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.",
+ "impact": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.1.2",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_for_mcas_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-appservice-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-appservice-protection.json
similarity index 91%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-appservice-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-appservice-protection.json
index 2586f0c5..0eb6c313 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-appservice-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-appservice-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for App Service",
+ "displayName": "Ensure That Microsoft Defender for App Services Is Set To 'On'",
"description": "Turning on Microsoft Defender for Cloud enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
"rationale": "Enabling Microsoft Defender for Cloud for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.2"
+ "version": "3.0.0",
+ "reference": "3.1.6.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-container-registries-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-container-registries-protection.json
similarity index 79%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-container-registries-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-container-registries-protection.json
index a2e57cbd..fa7457d3 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-container-registries-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-container-registries-protection.json
@@ -1,12 +1,19 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Container Registries",
- "description": "Turning on Microsoft Defender for Cloud enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "displayName": "Ensure That Microsoft Defender for Containers Is Set To 'On'",
+ "description": "
+ Turning on Microsoft Defender for Cloud enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
+ The following services will be enabled for container instances:
+ * Defender agent in Azure
+ * Azure Policy for Kubernetes
+ * Agentless discovery for Kubernetes
+ * Agentless container vulnerability assessment
+ ",
"rationale": "Enabling Microsoft Defender for Cloud for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
"remediation": {
@@ -29,8 +36,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.7"
+ "version": "3.0.0",
+ "reference": "3.1.4.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +94,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +135,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-cosmodb-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-cosmodb-protection.json
similarity index 91%
rename from rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-cosmodb-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-cosmodb-protection.json
index bf17caee..7f331d7f 100644
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-cosmodb-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-cosmodb-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for Cosmos DB Is Set To \u0027On\u0027",
+ "displayName": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'",
"description": "Microsoft Defender for Cosmos DB scans all incoming network requests for changes to your virtual machine.",
"rationale": "In scanning Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
"impact": "Enabling Microsoft Defender for Cosmos requires enabling Microsoft Defender for your subscription. Both will incur additional charges.",
@@ -27,8 +27,8 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.10"
+ "version": "3.0.0",
+ "reference": "3.1.7.1"
}
],
"level": "medium",
@@ -84,11 +84,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-dns-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-dns-protection.json
similarity index 84%
rename from rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-dns-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-dns-protection.json
index 2d50eaba..3a99c96c 100644
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-dns-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-dns-protection.json
@@ -1,12 +1,15 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for DNS Is Set To \u0027On\u0027",
- "description": "Microsoft Defender for DNS scans all network traffic exiting from within a subscription.",
+ "displayName": "Ensure That Microsoft Defender for DNS Is Set To 'On'",
+ "description": "
+ *NOTE*: As of August 1, 2023 customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.
+ Microsoft Defender for DNS scans all network traffic exiting from within a subscription.
+ ",
"rationale": "DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
"impact": "Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.",
"remediation": {
@@ -27,13 +30,14 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.11"
+ "version": "3.0.0",
+ "reference": "3.1.16",
+ "profile":"Level 2"
}
],
"level": "medium",
"tags": [
-
+ "Legacy"
],
"rule": {
"path": "az_pricing_tier",
@@ -84,11 +88,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +129,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-iot-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-iot-protection.json
similarity index 90%
rename from rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-iot-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-iot-protection.json
index 43c0782a..11d8ddcd 100644
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-iot-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-iot-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for IoT Is Set To \u0027On\u0027",
+ "displayName": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'",
"description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
"rationale": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.",
"impact": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage.",
@@ -27,11 +27,12 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.12"
+ "version": "3.0.0",
+ "reference": "3.2.1",
+ "profile":"Level 2"
}
],
- "level": "medium",
+ "level": "info",
"tags": [
],
@@ -84,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-keyvault-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-keyvault-protection.json
similarity index 85%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-keyvault-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-keyvault-protection.json
index ecfabc91..e9983ba7 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-keyvault-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-keyvault-protection.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Key Vault",
- "description": "Turning on Microsoft Defender for Cloud enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "displayName": "Ensure That Microsoft Defender for Key Vault Is Set To 'On'",
+ "description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
"rationale": "Enabling Microsoft Defender for Cloud for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
"remediation": {
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.8"
+ "version": "3.0.0",
+ "reference": "3.1.8.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-managed-sql-database-protection.json
similarity index 70%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-managed-sql-database-protection.json
index 8a9e3af4..1e532433 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-managed-sql-database-protection.json
@@ -1,16 +1,16 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Azure SQL database servers",
- "description": "Turning on Microsoft Defender for Cloud enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
- "rationale": "Enabling Microsoft Defender for Cloud for Azure SQL database servers allows for greater defense-in depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "displayName": "Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'",
+ "description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Managed Instance Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.",
+ "rationale": "Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
"remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Environment settings`\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Defender plans` blade\r\n\t\t\t\t\t5. On the line in the table for `Azure SQL database servers` Select `On` under `Plan`.\r\n\t\t\t\t\t6. Select `Save`",
+ "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Environment settings`\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Defender plans` blade\r\n\t\t\t\t\t5. Click `Select types >` in the row for `Databases`.\r\n\t\t\t\t\t6. Set the toggle switch next to `Azure SQL Databases` to `On`.\r\n\t\t\t\t\t7 Select `Continue`.\r\n\t\t\t\t\t7 Select `Save`.",
"code": {
"powerShell": null,
"iac": null,
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.3"
+ "version": "3.0.0",
+ "reference": "3.1.7.3",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-osrd-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-osrd-protection.json
similarity index 92%
rename from rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-osrd-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-osrd-protection.json
index 32d3a33d..9e1ba730 100644
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-osrd-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-osrd-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To \u0027On\u0027",
+ "displayName": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'",
"description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
"rationale": "Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.",
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.6"
+ "version": "3.0.0",
+ "reference": "3.1.7.2",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -84,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-rm-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-resource-manager-protection.json
similarity index 92%
rename from rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-rm-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-resource-manager-protection.json
index 028d2d40..2999e7cb 100644
--- a/rules/findings/Azure/Defender/CIS1.5/azure-defender-missing-rm-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-resource-manager-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure That Microsoft Defender for Resource Manager Is Set To \u0027On\u0027",
+ "displayName": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On'",
"description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.",
"rationale": "Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.",
"impact": "Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.",
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.13"
+ "version": "3.0.0",
+ "reference": "3.1.9.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -84,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-vm-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-server-protection.json
similarity index 90%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-vm-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-server-protection.json
index a8c40c92..229b8444 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-vm-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-server-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Servers",
+ "displayName": "Ensure That Microsoft Defender for Servers Is Set to 'On'",
"description": "Turning on Microsoft Defender for Cloud enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
"rationale": "Enabling Microsoft Defender for Cloud for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.1"
+ "version": "3.0.0",
+ "reference": "3.1.3.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -115,7 +120,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_defender_missing_vm_protection",
+ "idSuffix": "azure_defender_missing_server_protection",
"notes": [
],
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-on-machines-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-sql-server-on-machines-protection.json
similarity index 77%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-on-machines-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-sql-server-on-machines-protection.json
index 6b11a36d..aa1b4ef0 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-sql-server-on-machines-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-sql-server-on-machines-protection.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for SQL servers on machines",
- "description": "Turning on Microsoft Defender for Cloud enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
- "rationale": "Enabling Microsoft Defender for Cloud for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "displayName": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'",
+ "description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.",
+ "rationale": "Enabling Microsoft Defender for SQL servers on machines allows for greater defense in-depth, functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Environment settings`\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Defender plans` blade\r\n\t\t\t\t\t5. On the line in the table for `SQL Servers on machines` Select `On` under `Plan`.\r\n\t\t\t\t\t6. Select `Save`",
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.4"
+ "version": "3.0.0",
+ "reference": "3.1.7.4",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-storageaccount-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-storageaccount-protection.json
similarity index 91%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-storageaccount-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-storageaccount-protection.json
index 1ebed4c8..dd2cbbfe 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-storageaccount-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-missing-storageaccount-protection.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Storage",
+ "displayName": "Ensure That Microsoft Defender for Storage Is Set To 'On'",
"description": "Turning on Microsoft Defender for Cloud enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
"rationale": "Enabling Microsoft Defender for Cloud for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
"impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.5"
+ "version": "3.0.0",
+ "reference": "3.1.5.1",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-defender-recommendation-apply-system-updates-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-defender-recommendation-apply-system-updates-disabled.json
new file mode 100644
index 00000000..9b27e9b6
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-defender-recommendation-apply-system-updates-disabled.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'",
+ "description": "Ensure that the latest OS patches for all virtual machines are applied.",
+ "rationale": "
+ Windows and Linux virtual machines should be kept updated to:
+ * Address a specific bug or flaw
+ * Improve an OS or application’s general stability
+ * Fix a security vulnerability
+
+ Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.
+ ",
+ "impact": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.",
+ "remediation": {
+ "text": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities",
+ "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/",
+ "https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.10",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_defender_recommendation_apply_system_updates_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-endpoint-protection-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-endpoint-protection-disabled.json
new file mode 100644
index 00000000..820abdf8
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-endpoint-protection-disabled.json
@@ -0,0 +1,135 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that 'Endpoint protection' component status is set to 'On'",
+ "description": "
+ The Endpoint protection component enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.
+ *IMPORTANT:* When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.
+
+ 1. For server 2019 & above if defender is installed (default for these server SKUs) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
+ 2. If the new unified agent is required for server SKUs of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.
+ ",
+ "rationale": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.",
+ "impact": "
+ Endpoint protection requires licensing and is included in these plans:
+ * Defender for Servers plan 1
+ * Defender for Servers plan 2
+ ",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.3.3",
+ "profile":"Level 2"
+
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "az_virtual_machines",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "isAVAgentInstalled",
+ "eq",
+ "false"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+ "name": "Disk Name",
+ "localNic.localIpAddress": "Local IP Address",
+ "location": "Location",
+ "osDisk.isEncrypted": "OS disk encryption",
+ "isAVAgentInstalled": "Antimalware agent installed"
+ },
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ "Antimalware agent installed"
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "az_vm_antimalware_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS3.0/azure-file-integrity-monitoring-disabled.json b/rules/findings/Azure/Defender/CIS3.0/azure-file-integrity-monitoring-disabled.json
new file mode 100644
index 00000000..8eb8e950
--- /dev/null
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-file-integrity-monitoring-disabled.json
@@ -0,0 +1,120 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Microsoft Defender for Cloud",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that 'File Integrity Monitoring' component status is set to 'On'",
+ "description": "File Integrity Monitoring (FIM) is a feature that monitors critical system files in Windows or Linux for potential signs of attack or compromise.",
+ "rationale": "FIM provides a detection mechanism for compromised files. When FIM is enabled, critical system files are monitored for changes that might indicate a threat actor is attempting to modify system files for lateral compromise within a host operating system.",
+ "impact": "
+ File Integrity Monitoring requires licensing and is included in these plans:
+ * Defender for Servers plan 2
+ ",
+ "remediation": {
+ "text": "
+ ###### Audit from Azure Portal
+ 1. From the Azure Portal Home page, select Microsoft Defender for Cloud
+ 2. Under Management select Environment Settings
+ 3. Select a subscription
+ 4. Under Settings > Defender Plans, click Settings & monitoring
+ 5. Under the Component column, locate the row for File Integrity Monitoring
+ 6. Select On
+ 7. Click Continue in the top left
+
+ Repeat the above for any additional subscriptions.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification",
+ "https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-enable-defender-endpoint"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.3.5",
+ "profile":"Level 2"
+
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "az_file_integrity_monitoring_for_machines_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-kubernetes-protection.json b/rules/findings/Azure/Defender/CIS3.0/azure-vulnerability-assessment-on-servers-disabled.json
similarity index 56%
rename from rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-kubernetes-protection.json
rename to rules/findings/Azure/Defender/CIS3.0/azure-vulnerability-assessment-on-servers-disabled.json
index 9e52f52d..0f972353 100644
--- a/rules/findings/Azure/Defender/CIS1.4/azure-defender-missing-kubernetes-protection.json
+++ b/rules/findings/Azure/Defender/CIS3.0/azure-vulnerability-assessment-on-servers-disabled.json
@@ -1,16 +1,24 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Microsoft Defender for Cloud",
"serviceName": "Subscription",
- "displayName": "Ensure that Microsoft Defender for Cloud is set to On for Kubernetes",
- "description": "Turning on Microsoft Defender for Cloud enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
- "rationale": "Enabling Microsoft Defender for Cloud for Kubernetes allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
- "impact": "Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.",
+ "displayName": "Ensure that 'Vulnerability assessment for machines' component status is set to 'On'",
+ "description": "Enable vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
+ "rationale": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.",
+ "impact": "Microsoft Defender for Servers plan 2 licensing is required, and configuration of Azure Arc introduces complexity beyond this recommendation.",
"remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Select `Environment settings`\r\n\t\t\t\t\t3. Click on the subscription name\r\n\t\t\t\t\t4. Select the `Defender plans` blade\r\n\t\t\t\t\t5. On the line in the table for `Kubernetes` Select `On` under `Plan`.\r\n\t\t\t\t\t6. Select `Save`",
+ "text": "###### From Azure Portal
+ 1. From Azure Home select the Portal Menu
+ 2. Select Microsoft Defender for Cloud
+ 3. Under Management, select Environment Settings
+ 4. Select a subscription
+ 5. Click on Settings & Monitoring
+ 6. Set the Status of Vulnerability assessment for machines to On
+ 7. Click Continue
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -29,8 +37,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.6"
+ "version": "3.0.0",
+ "reference": "3.1.3.2",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -38,31 +47,12 @@
],
"rule": {
- "path": "az_pricing_tier",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "name",
- "eq",
- "KubernetesService"
- ],
- [
- "properties.pricingTier",
- "eq",
- "Free"
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -86,11 +76,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -115,7 +109,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_defender_missing_kubernetes_protection",
+ "idSuffix": "azure_vulnerability_assessment_for_server_disabled",
"notes": [
],
@@ -123,3 +117,4 @@
]
}
+
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-missing-categories.json b/rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-missing-categories.json
deleted file mode 100644
index 04b8e2e6..00000000
--- a/rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-missing-categories.json
+++ /dev/null
@@ -1,236 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Diagnostic Settings",
- "serviceName": "Subscription",
- "displayName": "Ensure Diagnostic Setting captures appropriate categories",
- "description": "The diagnostic setting should be configured to log the appropriate activities from the control/management plane.",
- "rationale": "A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.",
- "impact": "",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Azure Monitor`\r\n\t\t\t\t\t2. Click `Activity log`\r\n\t\t\t\t\t3. Click on `Diagnostic settings`\r\n\t\t\t\t\t4. Click on `Edit Settings` for the diagnostic settings entry\r\n\t\t\t\t\t5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile",
- "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.2"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_diagnostic_settings_config",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "Length": 2
- },
- {
- "Count": 3,
- "Length": 3,
- "LongLength": 3,
- "Rank": 1,
- "SyncRoot": [
- "category",
- "eq",
- "Administrative"
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- },
- {
- "Count": 3,
- "Length": 3,
- "LongLength": 3,
- "Rank": 1,
- "SyncRoot": [
- "enabled",
- "eq",
- "false"
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- },
- {
- "Count": 2,
- "Length": 2,
- "LongLength": 2,
- "Rank": 1,
- "SyncRoot": [
- "or",
- [
- "and",
- [
- "category",
- "eq",
- "Security"
- ],
- [
- "enabled",
- "eq",
- "false"
- ]
- ]
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- },
- {
- "Count": 2,
- "Length": 2,
- "LongLength": 2,
- "Rank": 1,
- "SyncRoot": [
- "or",
- [
- "and",
- [
- "category",
- "eq",
- "Security"
- ],
- [
- "enabled",
- "eq",
- "false"
- ]
- ]
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- },
- {
- "Count": 2,
- "Length": 2,
- "LongLength": 2,
- "Rank": 1,
- "SyncRoot": [
- "or",
- [
- "and",
- [
- "category",
- "eq",
- "Alert"
- ],
- [
- "enabled",
- "eq",
- "false"
- ]
- ]
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- },
- {
- "Count": 2,
- "Length": 2,
- "LongLength": 2,
- "Rank": 1,
- "SyncRoot": [
- "or",
- [
- "and",
- [
- "category",
- "eq",
- "Policy"
- ],
- [
- "enabled",
- "eq",
- "false"
- ]
- ]
- ],
- "IsReadOnly": false,
- "IsFixedSize": true,
- "IsSynchronized": false
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_diagnostic_settings_missing_categories",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-activity-logs-storage-account-missing-cmk.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-activity-logs-storage-account-missing-cmk.json
new file mode 100644
index 00000000..08413eff
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-activity-logs-storage-account-missing-cmk.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)",
+ "description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).",
+ "rationale": "Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.",
+ "impact": "*NOTE* : You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Monitor.
+ 2. Select Activity log.
+ 3. Select Export Activity Logs.
+ 4. Select a Subscription.
+ 5. Note the name of the Storage Account for the diagnostic setting.
+ 6. Navigate to Storage accounts.
+ 7. Click on the storage account.
+ 8. Under Security + networking, click Encryption.
+ 9. Next to Encryption type, select Customer-managed keys.
+ 10. Complete the steps to configure a customer-managed key for encryption of the storage account.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required",
+ "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.3",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_account_storing_activity_logs_lack_cmk",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/App Services/CIS1.5/azure-app-services-logging-disabled.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-app-services-logging-disabled.json
similarity index 91%
rename from rules/findings/Azure/App Services/CIS1.5/azure-app-services-logging-disabled.json
rename to rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-app-services-logging-disabled.json
index 7612b642..8753e6db 100644
--- a/rules/findings/Azure/App Services/CIS1.5/azure-app-services-logging-disabled.json
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-app-services-logging-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
- "serviceType": "App Services",
- "serviceName": "Hosted Services",
- "displayName": "Ensure that logging for Azure AppService \u0027AppServiceHTTPLogs\u0027 is enabled",
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that logging for Azure AppService 'HTTP logs' is enabled",
"description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.",
"rationale": "Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization",
"impact": "Log consumption and processing will incur additional cost.",
@@ -26,8 +26,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.7"
+ "version": "3.0.0",
+ "reference": "6.1.6",
+ "profile": "Level 2"
}
],
"level": "low",
@@ -97,7 +98,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"kind",
"location",
@@ -105,10 +106,12 @@
"diagnosticSettings.enabled",
"diagnosticSettings.properties.logs.category"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -141,3 +144,4 @@
]
}
+
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-missing-categories.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-missing-categories.json
new file mode 100644
index 00000000..4ea93104
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-missing-categories.json
@@ -0,0 +1,118 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure Diagnostic Setting captures appropriate categories",
+ "description": "
+ *Prerequisite* : A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: `Ensure that a Diagnostic Settings exists`.
+ The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
+ ",
+ "rationale": "A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Monitor.
+ 2. Click Activity log.
+ 3. Click on Export Activity Logs.
+ 4. Select the Subscription from the drop down menu.
+ 5. Click Edit setting next to a diagnostic setting.
+ 6. Check the following categories: Administrative, Alert, Policy, and Security.
+ 7. Choose the destination details according to your organization's needs.
+ 8. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings",
+ "https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+ "https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/powershell/module/az.monitor/new-azsubscriptiondiagnosticsetting?view=azps-9.2.0"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.2",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "diagnostic_settings_for_subscription_missing_categories",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-disabled.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-not-configured.json
similarity index 54%
rename from rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-disabled.json
rename to rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-not-configured.json
index 3ae741c9..f1b91e1d 100644
--- a/rules/findings/Azure/Diagnostic Settings/CIS1.4/azure-diagnostic-settings-disabled.json
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-diagnostic-settings-for-subscription-not-configured.json
@@ -1,16 +1,27 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Diagnostic Settings",
"serviceName": "Subscription",
- "displayName": "Ensure that a \u0027Diagnostics Setting\u0027 exists",
- "description": "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.",
+ "displayName": "Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs",
+ "description": "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.",
"rationale": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.",
- "impact": "",
+ "impact": null,
"remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Click on the resource that has a diagnostic status of `disabled`\r\n\t\t\t\t\t2. Select `Add Diagnostic Settings`\r\n\t\t\t\t\t3. Enter a Diagnostic setting `name`\r\n\t\t\t\t\t4. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub)\r\n\t\t\t\t\t5. Click `save`\r\n\t\t\t\t\t\r\n\t\t\t\t\tRepeat these step for all resources as needed.",
+ "text": "
+ ###### Remediate from Azure Portal
+ To enable Diagnostic Settings on a Subscription:
+ 1. Go to Monitor
+ 2. Click on Activity log
+ 3. Click on Export Activity Logs
+ 4. Click + Add diagnostic setting
+ 5. Enter a Diagnostic setting name
+ 6. Select Categories for the diagnostic setting
+ 7. Select the appropriate Destination details (this may be Log Analytics, Storage Account, Event Hub, or Partner solution)
+ 8. Click Save
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -21,14 +32,15 @@
"recommendation": null,
"references": [
"https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile",
- "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
+ "https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.1"
+ "version": "3.0.0",
+ "reference": "6.1.1",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -36,25 +48,12 @@
],
"rule": {
- "path": "az_diagnostic_settings",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "diagnostic_settings",
- "eq",
- ""
- ]
- ]
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -63,12 +62,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "name": "Name",
- "type": "Type",
- "location": "Location",
- "diagnostic_settings": "Diagnostic Settings"
- },
"expandObject": null
},
"table": "Normal",
@@ -80,13 +73,12 @@
],
"actions": {
"objectData": {
- "expand": [
- "*"
- ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -111,7 +103,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_diagnostic_settings_disabled",
+ "idSuffix": "diagnostic_settings_for_subscription_not_configured",
"notes": [
],
@@ -119,3 +111,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-logging-enabled.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-keyvault-logging-disabled.json
similarity index 53%
rename from rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-logging-enabled.json
rename to rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-keyvault-logging-disabled.json
index ade95f73..f8a5047f 100644
--- a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-logging-enabled.json
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-keyvault-logging-disabled.json
@@ -1,16 +1,26 @@
-{
+{
"args": [
],
"provider": "Azure",
- "serviceType": "Azure KeyVault",
- "serviceName": "Storage",
- "displayName": "Keyvault AuditEvent disabled",
- "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, and this same storage account can be used for collecting logs for multiple key vaults",
- "rationale": null,
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that logging for Azure Key Vault is 'Enabled'",
+ "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, and this same storage account can be used for collecting logs for multiple key vaults.",
+ "rationale": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user provided destination of either an Azure storage account or Log Analytics workspace. The same destination can be used for collecting logs for multiple Key Vaults.",
"impact": null,
"remediation": {
- "text": null,
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Key vaults.
+ 2. Select a Key vault.
+ 3. Under Monitoring, select Diagnostic settings.
+ 4. Click Edit setting to update an existing diagnostic setting, or Add diagnostic setting to create a new one.
+ 5. If creating a new diagnostic setting, provide a name.
+ 6. Configure an appropriate destination.
+ 7. Under Category groups, check audit and allLogs.
+ 8. Click Save.
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -20,13 +30,16 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging"
+ "https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.5"
+ "version": "3.0.0",
+ "reference": "6.1.4",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -34,25 +47,12 @@
],
"rule": {
- "path": "az_keyvault",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "diagnosticSettings.enabled",
- "eq",
- "false"
- ]
- ]
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -61,12 +61,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "name": "KeyVault Name",
- "location": "Location",
- "properties.vaultUri": "URI",
- "diagnosticSettings.enabled": "Logging Enabled"
- },
"expandObject": null
},
"table": "asList",
@@ -74,15 +68,18 @@
],
"emphasis": [
- "Logging Enabled"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -115,3 +112,4 @@
]
}
+
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-monitor-resource-logging-disabled.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-monitor-resource-logging-disabled.json
new file mode 100644
index 00000000..53deaf14
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-monitor-resource-logging-disabled.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it",
+ "description": "
+ Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
+ A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
+ ",
+ "rationale": "A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.",
+ "impact": "Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:
+ 1. Go to the resource
+ 2. Click on Diagnostic settings
+ 3. In the blade that appears, click `Add diagnostic setting`
+ 4. Configure the diagnostic settings
+ 5. Click on Save
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.4",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_resource_lack_diagnostic_settings",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-network-security-group-flow-logs-enabled.json b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-network-security-group-flow-logs-enabled.json
new file mode 100644
index 00000000..50a93d90
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/CIS3.0/azure-network-security-group-flow-logs-enabled.json
@@ -0,0 +1,126 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Diagnostic Settings",
+ "serviceName": "Subscription",
+ "displayName": "Ensure that Network Security Group Flow logs are captured and sent to Log Analytics",
+ "description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
+ "rationale": "Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.",
+ "impact": "The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Navigate to Network Watcher.
+ 2. Under Logs, select Flow logs.
+ 3. Select + Create.
+ 4. Select the desired Subscription.
+ 5. For Flow log type, select Network security group.
+ 6. Select + Select target resource.
+ 7. Select Network security group.
+ 8. Select a network security group.
+ 9. Click Confirm selection.
+ 10. Select or create a new Storage Account.
+ 11. If using a v2 storage account, input the retention in days to retain the log.
+ 12. Click Next.
+ 13. Under Analytics, for Flow log version, select Version 2.
+ 14. Check the box next to Enable traffic analytics.
+ 15. Select a processing interval.
+ 16. Select a Log Analytics Workspace.
+ 17. Select Next.
+ 18. Optionally add Tags.
+ 19. Select Review + create.
+ 20. Select Create.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.5",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "nsg_flow_logs_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-non-rbac-keyvault-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-non-rbac-keyvault-disabled.json
new file mode 100644
index 00000000..3878ee56
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-non-rbac-keyvault-disabled.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults",
+ "description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+ "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.",
+ "impact": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.",
+ "remediation": {
+ "text": "###### From Azure Portal\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Keys`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.2",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_non_rbac_key_vault_keys_notexpire",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-rbac-keyvault-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-rbac-keyvault-disabled.json
new file mode 100644
index 00000000..b7d319c5
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-keys-in-rbac-keyvault-disabled.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults",
+ "description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+ "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.",
+ "impact": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.",
+ "remediation": {
+ "text": "###### From Azure Portal\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Keys`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.1",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_rbac_key_vault_keys_notexpire",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-secrets-expiration-set.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-non-rbac-keyvault-disabled.json
similarity index 53%
rename from rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-secrets-expiration-set.json
rename to rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-non-rbac-keyvault-disabled.json
index 54fcf6f1..f108ec42 100644
--- a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-secrets-expiration-set.json
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-non-rbac-keyvault-disabled.json
@@ -1,16 +1,16 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Azure KeyVault",
"serviceName": "Storage",
- "displayName": "Ensure that the expiration date is set on all Secrets",
- "description": "Ensure that all Secrets in the Azure Key Vault have an expiration time set.",
- "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
- "impact": "Secrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.",
+ "displayName": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults",
+ "description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+ "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
+ "impact": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.",
"remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Secrets`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
+ "text": "###### From Azure Portal\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Secrets`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
"code": {
"powerShell": null,
"iac": null,
@@ -25,8 +25,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.3"
+ "version": "3.0.0",
+ "reference": "3.3.4",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -34,30 +35,12 @@
],
"rule": {
- "path": "az_keyvault",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "objects.secrets",
- "ne"
- ],
- [
- "objects.secrets.attributes.exp",
- "eq",
- ""
- ]
- ],
- "operator": "and"
- }
- ]
- }
],
"shouldExist": null,
"returnObject": null,
@@ -66,13 +49,6 @@
"output": {
"html": {
"data": {
- "properties": {
- "name": "KeyVault",
- "objects.secrets.attributes.enabled": "Enabled",
- "objects.secrets.attributes.created": "Creation time",
- "objects.secrets.attributes.updated": "Updated",
- "objects.secrets.attributes.exp": "Expires"
- },
"expandObject": null
},
"table": "asList",
@@ -80,15 +56,18 @@
],
"emphasis": [
- "Expires"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -113,7 +92,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_key_vault_secrets_notexpire",
+ "idSuffix": "azure_non_rbac_key_vault_secrets_notexpire",
"notes": [
],
@@ -121,3 +100,4 @@
]
}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-rbac-keyvault-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-rbac-keyvault-disabled.json
new file mode 100644
index 00000000..5ec81cab
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-expiration-date-for-all-secrets-in-rbac-keyvault-disabled.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults",
+ "description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+ "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
+ "impact": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.",
+ "remediation": {
+ "text": "###### From Azure Portal\r\n\t\t\t\t\t1. Go to `Key vaults`\r\n\t\t\t\t\t2. For each Key vault, click on `Secrets`.\r\n\t\t\t\t\t3. Under the `Settings` section, Make sure `Enabled?` is set to Yes\r\n\t\t\t\t\t4. Set an appropriate **expiration date** on all keys.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.3",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_rbac_key_vault_secrets_notexpire",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-automatic-key-rotation-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-automatic-key-rotation-disabled.json
new file mode 100644
index 00000000..d306e83e
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-automatic-key-rotation-disabled.json
@@ -0,0 +1,121 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services",
+ "description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.",
+ "rationale": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.",
+ "impact": "There are an additional costs per operation in running the needed applications.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. From Azure Portal select the Portal Menu in the top left.
+ 2. Select Key Vaults.
+ 3. Select a Key Vault to audit.
+ 4. Under Objects select Keys.
+ 5. Select a key to audit.
+ 6. In the top row select Rotation policy.
+ 7. Select an Expiry time.
+ 8. Set Enable auto rotation to Enabled.
+ 9. Set an appropriate Rotation option and Rotation time.
+ 10. Optionally set the Notification time.
+ 11. Select Save.
+ 12. Repeat steps 3-11 for each Key Vault and Key.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
+ "https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version",
+ "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation",
+ "https://azure.microsoft.com/en-us/updates/public-preview-automatic-key-rotation-of-customermanaged-keys-for-encrypting-azure-managed-disks/",
+ "https://docs.microsoft.com/en-us/cli/azure/keyvault/key/rotation-policy?view=azure-cli-latest#az-keyvault-key-rotation-policy-update"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.8",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_key_vault_automatic_key_rotation_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-private-endpoint-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-private-endpoint-disabled.json
new file mode 100644
index 00000000..f41c77d8
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-private-endpoint-disabled.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.",
+ "description":'
+ Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.
+ ',
+ "rationale": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.",
+ "impact": "Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.",
+ "remediation": {
+ "text": '',
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview",
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+ "https://azure.microsoft.com/en-us/pricing/details/private-link/",
+ "https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal",
+ "https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal",
+ "https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal",
+ "https://docs.microsoft.com/en-us/azure/bastion/bastion-overview",
+ "https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.7",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_key_vault_private_endpoint_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-rbac-disabled.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-rbac-disabled.json
new file mode 100644
index 00000000..48686d5c
--- /dev/null
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-rbac-disabled.json
@@ -0,0 +1,123 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure KeyVault",
+ "serviceName": "Storage",
+ "displayName": "Enable Role Based Access Control for Azure Key Vault",
+ "description":'
+ The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.
+ Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.
+ ',
+ "rationale": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.",
+ "impact": "Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.",
+ "remediation": {
+ "text": '
+ ###### Remediate from Azure Portal
+ Key Vaults can be configured to use Azure role-based access control on creation.
+ For existing Key Vaults:
+ 1. From Azure Home open the Portal Menu in the top left corner
+ 2. Select Key Vaults
+ 3. Select a Key Vault to audit
+ 4. Select Access configuration
+ 5. Set the Permission model radio button to Azure role-based access control,
+ taking note of the warning message
+ 6. Click Save
+ 7. Select Access Control (IAM)
+ 8. Select the Role Assignments tab
+ 9. Reapply permissions as needed to groups or users
+ ',
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps",
+ "https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current",
+ "https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.3",
+ "profile":"Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_key_vault_rbac_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-recoverable.json b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-recoverable.json
similarity index 77%
rename from rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-recoverable.json
rename to rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-recoverable.json
index b923c3b5..b1e02a18 100644
--- a/rules/findings/Azure/Azure KeyVault/CIS1.4/azure-keyvault-recoverable.json
+++ b/rules/findings/Azure/KeyVault/CIS3.0/azure-keyvault-recoverable.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,11 @@
"serviceType": "Azure KeyVault",
"serviceName": "Storage",
"displayName": "Ensure the key vault is recoverable",
- "description": "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.\r\n\t\t\t\t\tIt is recommended the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.",
+ "description":'
+ The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
+ *NOTE*: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete.
+ *WARNING*: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.
+ ',
"rationale": "There could be scenarios where users accidently run delete/purge commands on key vault or attacker/malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 key vault properties that plays role in permanent unavailability of a key vault.\r\n\t\t\t\t\t1. enableSoftDelete:\r\n\t\t\t\t\tSetting this parameter to true for a key vault ensures that even if key vault is deleted, Key vault itself or its objects remain recoverable for next 90days. In this span of 90 days either key vault/objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days key vault and its objects will be purged.\r\n\t\t\t\t\t2. enablePurgeProtection:\r\n\t\t\t\t\tenableSoftDelete only ensures that key vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are chances that the key vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to \"true\" ensures that the key vault and its objects cannot be purged.\r\n\t\t\t\t\tEnabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.",
"impact": "Once purge-protection and soft-delete is enabled for a key vault, the action is irreversible.",
"remediation": {
@@ -25,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.6"
+ "version": "3.0.0",
+ "reference": "3.3.5",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -86,11 +91,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +132,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-port-open.json b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-port-open.json
similarity index 95%
rename from rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-port-open.json
rename to rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-port-open.json
index fac5d0de..ed0569b7 100644
--- a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-port-open.json
+++ b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-port-open.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -93,13 +93,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -132,3 +134,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-tcp-ports-open.json b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-tcp-ports-open.json
similarity index 90%
rename from rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-tcp-ports-open.json
rename to rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-tcp-ports-open.json
index ca0f7970..b60886de 100644
--- a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-tcp-ports-open.json
+++ b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-tcp-ports-open.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Network Security Groups",
"serviceName": "Network",
- "displayName": "Ensure that _ARG_0_ access is restricted from the internet",
+ "displayName": "Ensure that _ARG_0_ access from the Internet is evaluated and restricted",
"description": "_ARG_2_",
"rationale": "_ARG_3_",
"impact": null,
@@ -26,7 +26,8 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "_ARG_4_",
- "reference": "_ARG_5_"
+ "reference": "_ARG_5_",
+ "profile": "Level 1"
},
[
"_ARG_6_"
@@ -110,13 +111,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -149,3 +152,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-udp-ports-open.json b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-udp-ports-open.json
similarity index 90%
rename from rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-udp-ports-open.json
rename to rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-udp-ports-open.json
index 13a34884..272e2fec 100644
--- a/rules/findings/Azure/Azure Network Security Group/CIS1.4/azure-nsg-udp-ports-open.json
+++ b/rules/findings/Azure/Network Security Group/CIS3.0/azure-nsg-udp-ports-open.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Network Security Groups",
"serviceName": "Network",
- "displayName": "Ensure that _ARG_0_ access is restricted from the internet",
+ "displayName": "Ensure that _ARG_0_ access from the Internet is evaluated and restricted",
"description": "_ARG_2_",
"rationale": "_ARG_3_",
"impact": null,
@@ -26,7 +26,8 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "_ARG_4_",
- "reference": "_ARG_5_"
+ "reference": "_ARG_5_",
+ "profile": "Level 1"
},
[
"_ARG_6_"
@@ -110,13 +111,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -149,3 +152,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-disabled.json b/rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-disabled.json
similarity index 66%
rename from rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-disabled.json
rename to rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-disabled.json
index 793c8e48..f936faef 100644
--- a/rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-disabled.json
+++ b/rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Network Watcher",
"serviceName": "Network",
- "displayName": "Enable Network Watcher for Azure subscriptions in all regions",
- "description": "Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. The security group view capability shows all security rules applied to the network interfaces, as well as the subnet the network interface is in, and the aggregate of both. An administrator can add, remove, or change rules.",
+ "displayName": "Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use",
+ "description": "Enable Network Watcher for physical regions in Azure subscriptions.",
"rationale": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.",
- "impact": null,
+ "impact": "There are additional costs per transaction to run and store network data. For high volume networks these charges will add up quickly.",
"remediation": {
"text": "Opting-out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.",
"code": {
@@ -20,13 +20,19 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
+ "https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest#az-network-watcher-configure",
+ "https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation",
+ "https://azure.microsoft.com/en-ca/pricing/details/network-watcher/"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "6.5"
+ "version": "3.0.0",
+ "reference": "6.5",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -75,13 +81,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -114,3 +122,4 @@
]
}
+
diff --git a/rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-flow-log-retention.json b/rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-flow-log-retention.json
similarity index 78%
rename from rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-flow-log-retention.json
rename to rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-flow-log-retention.json
index afd8882d..4e594011 100644
--- a/rules/findings/Azure/Azure Network Watcher/CIS1.4/azure-network-watcher-flow-log-retention.json
+++ b/rules/findings/Azure/Network Watcher/CIS3.0/azure-network-watcher-flow-log-retention.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Network Watcher",
"serviceName": "Network",
- "displayName": "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days",
- "description": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
+ "displayName": "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'",
+ "description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.",
"rationale": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
- "impact": null,
+ "impact": "This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Network Watcher`\r\n\t\t\t\t\t2. Select `NSG flow logs` blade in the Logs section\r\n\t\t\t\t\t3. Select each Network Security Group from the list\r\n\t\t\t\t\t4. Ensure `Status` is set to `On`\r\n\t\t\t\t\t5. Ensure `Retention (days)` setting `greater than 90 days`\r\n\t\t\t\t\t6. Select your storage account in the `Storage account` field\r\n\t\t\t\t\t7. Select `Save`",
"code": {
@@ -25,8 +25,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "6.4"
+ "version": "3.0.0",
+ "reference": "7.5",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -81,13 +82,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -120,3 +123,4 @@
]
}
+
diff --git a/rules/findings/Azure/Network/azure-unassigned-public-ip-address.json b/rules/findings/Azure/Network/CIS3.0/azure-unassigned-public-ip-address.json
similarity index 95%
rename from rules/findings/Azure/Network/azure-unassigned-public-ip-address.json
rename to rules/findings/Azure/Network/CIS3.0/azure-unassigned-public-ip-address.json
index 80fddd0e..38e01113 100644
--- a/rules/findings/Azure/Network/azure-unassigned-public-ip-address.json
+++ b/rules/findings/Azure/Network/CIS3.0/azure-unassigned-public-ip-address.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -26,8 +26,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "6.7"
+ "version": "3.0.0",
+ "reference": "7.7",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -80,7 +81,7 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"resourceGroupName",
@@ -88,10 +89,12 @@
"publicIPAllocationMethod",
"associatedTo"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -124,3 +127,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-blob-anonymous-access-enabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-blob-anonymous-access-enabled.json
new file mode 100644
index 00000000..83c96dfb
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-blob-anonymous-access-enabled.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'",
+ "description": '
+ The Azure Storage setting ‘Allow Blob Anonymous Access’ (aka "allowBlobPublicAccess") controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.
+ ',
+ "rationale": 'If "Allow Blob Anonymous Access" is enabled, blobs can be accessed by adding the blob name to the URL to see the contents. An attacker can enumerate a blob using methods, such as brute force, and access them. Exfiltration of data by brute force enumeration of items from a storage account may occur if this setting is set to `Enabled`. ',
+ "impact": "Additional consideration may be required for exceptional circumstances where elements of a storage account require public accessibility. In these circumstances, it is highly recommended that all data stored in the public facing storage account be reviewed for sensitive or potentially compromising data, and that sensitive or compromising data is never stored in these storage accounts.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Settings, click Configuration.
+ 3. Set Allow Blob Anonymous Access to Disabled.
+ 4. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal",
+ "https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?source=recommendations&tabs=portal",
+ "https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent-classic?tabs=portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.17",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "properties"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_allow_blob_anonymous_access_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-cross-tenant-replication-not-enabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-cross-tenant-replication-not-enabled.json
new file mode 100644
index 00000000..53faf4b0
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-cross-tenant-replication-not-enabled.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure 'Cross Tenant Replication' is not enabled",
+ "description": "Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization.",
+ "rationale": "Disabling Cross Tenant Replication minimizes the risk of unauthorized data access and ensures that data governance policies are strictly adhered to. This control is especially critical for organizations with stringent data security and privacy requirements, as it prevents the accidental sharing of sensitive information.",
+ "impact": "Disabling Cross Tenant Replication may affect data availability and sharing across different Azure tenants. Ensure that this change aligns with your organizational data sharing and availability requirements.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Data management, click Object replication.
+ 3. Click Advanced settings.
+ 4. Uncheck Allow cross-tenant replication.
+ 5. Click OK.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.16",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "properties"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_cross_tenant_replication_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-default-network-access-rule-allow.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-default-network-access-rule-allow.json
new file mode 100644
index 00000000..0510f178
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-default-network-access-rule-allow.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny",
+ "description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.",
+ "rationale": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.",
+ "impact": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Security + networking, click Networking.
+ 3. Click the Firewalls and virtual networks heading.
+ 4. Set Public network access to Enabled from selected virtual networks and IP addresses.
+ 5. Add rules to allow traffic from specific networks and IP addresses.
+ 6. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.7",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_default_network_access_rule_allow",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-blob-service.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-blob-service.json
new file mode 100644
index 00000000..82414471
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-blob-service.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests",
+ "description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a besteffort basis. Storage Analytics logging is not enabled by default for your storage account.",
+ "impact": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Monitoring, click Diagnostics settings.
+ 3. Select the blob tab indented below the storage account.
+ 4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
+ 5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
+ 6. Select an appropriate destination.
+ 7. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.13",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_logging_disabled_for_blob",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-table-service.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-table-service.json
new file mode 100644
index 00000000..a104747c
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-logging-disabled-for-table-service.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests",
+ "description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a besteffort basis. Storage Analytics logging is not enabled by default for your storage account.",
+ "impact": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Monitoring, click Diagnostics settings.
+ 3. Select the table tab indented below the storage account.
+ 4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
+ 5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
+ 6. Select an appropriate destination.
+ 7. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.14",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_logging_disabled_for_table_service",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-private-endpoints-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-private-endpoints-disabled.json
new file mode 100644
index 00000000..6e1bf55f
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-private-endpoints-disabled.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Private Endpoints are used to access Storage Accounts",
+ "description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
+ "rationale": "Securing traffic between services through encryption protects the data from easy interception and reading.",
+ "impact": "A Private Endpoint costs approximately US$7.30 per month. If an Azure Virtual Network is not implemented correctly, this may result in the loss of critical network traffic.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+ "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview",
+ "https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal",
+ "https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip",
+ "https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip",
+ "https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.9",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_private_endpoints_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-shared-access-signature-tokens-expiration.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-shared-access-signature-tokens-expiration.json
new file mode 100644
index 00000000..bcef86b7
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-account-shared-access-signature-tokens-expiration.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure that Shared Access Signature Tokens Expire Within an Hour",
+ "description": "Expire shared access signature tokens within an hour.",
+ "rationale": "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.",
+ "impact": "",
+ "remediation": {
+ "text": "
+ When generating shared access signature tokens, use start and end time such that it falls within an hour.
+
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts
+ 2. For each storage account where a shared access signature is required, under Security + networking, go to Shared access signature
+ 3. Select the appropriate Allowed resource types
+ 4. Set the Start and expiry date/time to be within one hour
+ 5. Click Generate SAS and connection string
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature",
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.5",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_shared_access_signature_expiration",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-key-rotation-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-access-key-rotation-disabled.json
similarity index 95%
rename from rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-key-rotation-disabled.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-access-key-rotation-disabled.json
index e6a1e5e8..76963582 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-key-rotation-disabled.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-access-key-rotation-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.2"
+ "version": "3.0.0",
+ "reference": "4.4",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -89,16 +90,18 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"keyRotation"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -131,3 +134,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-infrastructure-encryption-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-infrastructure-encryption-disabled.json
similarity index 89%
rename from rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-infrastructure-encryption-disabled.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-infrastructure-encryption-disabled.json
index a4e54e5f..5347149b 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-infrastructure-encryption-disabled.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-infrastructure-encryption-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Storage Accounts",
"serviceName": "Storage",
- "displayName": "Ensure that \u0027Enable Infrastructure Encryption\u0027 for Each Storage Account in Azure Storage is Set to \u0027enabled\u0027",
- "description": "Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.",
+ "displayName": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'",
+ "description": "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.",
"rationale": "Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.",
"impact": "The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.",
"remediation": {
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.2"
+ "version": "3.0.0",
+ "reference": "4.2",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -80,16 +81,18 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"requireInfrastructureEncryption"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -122,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-key-rotation-reminder-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-key-rotation-reminder-disabled.json
similarity index 93%
rename from rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-key-rotation-reminder-disabled.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-key-rotation-reminder-disabled.json
index f5dce736..368ff1e8 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.5/azure-storage-accounts-key-rotation-reminder-disabled.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-key-rotation-reminder-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Storage Accounts",
"serviceName": "Storage",
- "displayName": "Ensure that \u0027Enable key rotation reminders\u0027 is enabled for each Storage Account",
+ "displayName": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account",
"description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The \"Rotation Reminder\" is an automatic reminder feature for a manual procedure.",
"rationale": "Reminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program.Cryptographic key rotation periods will vary depending on your organization\u0027s security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated `regularly`, and advises that keys for static data stores be rotated every `few months`. For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization\u0027s security requirements should dictate the appropriate setting.",
"impact": "This recommendation only creates a periodic reminder to regenerate access keys. Regenerating access keys can affect services in Azure as well as the organization\u0027s applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.",
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.3"
+ "version": "3.0.0",
+ "reference": "4.3",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -80,16 +81,18 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"properties.keyPolicy.keyExpirationPeriodInDays"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -122,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-lack-cmk.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-lack-cmk.json
similarity index 95%
rename from rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-lack-cmk.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-lack-cmk.json
index a84da92f..b8eba3ea 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-lack-cmk.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-lack-cmk.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -28,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.9"
+ "version": "3.0.0",
+ "reference": "4.11",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -81,16 +82,18 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"usingOwnKey"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -123,3 +126,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-minimum-tls-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-minimum-tls-not-configured.json
similarity index 83%
rename from rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-minimum-tls-disabled.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-minimum-tls-not-configured.json
index 786f1f94..e8c6a15b 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-minimum-tls-disabled.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-minimum-tls-not-configured.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Storage Accounts",
"serviceName": "Storage",
- "displayName": "Ensure the Minimum TLS version is set to 1.2",
- "description": "Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.",
+ "displayName": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
+ "description": "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.",
"rationale": "TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.",
"impact": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.",
"remediation": {
@@ -30,8 +30,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.12"
+ "version": "3.0.0",
+ "reference": "4.15",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -83,13 +84,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"properties"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -114,7 +117,7 @@
"onlyStatus": false
}
},
- "idSuffix": "storage_accounts_minimum_tls_version_disabled",
+ "idSuffix": "storage_accounts_minimum_tls_version_not_configured",
"notes": [
],
@@ -122,3 +125,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-public-network-access-enabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-public-network-access-enabled.json
new file mode 100644
index 00000000..4c4b7619
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-public-network-access-enabled.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure that 'Public Network Access' is 'Disabled' for storage accounts",
+ "description": "Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.",
+ "rationale": "The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.",
+ "impact": "Access will have to be managed using shared access signatures or via Azure AD RBAC.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under the Security + networking section, click Networking.
+ 3. Set Public network access to Disabled.
+ 4. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access",
+ "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.6",
+ "profile":"Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_public_network_access_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-queue-storage-logging-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-queue-storage-logging-disabled.json
new file mode 100644
index 00000000..f89a5cb4
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-queue-storage-logging-disabled.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests",
+ "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.",
+ "impact": "Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each storage account, under Monitoring, click Diagnostics settings.
+ 3. Select the queue tab indented below the storage account.
+ 4. To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
+ 5. Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
+ 6. Select an appropriate destination.
+ 7. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation",
+ "https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.12",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_logging_disabled_for_queue",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-https-traffic-enabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-secure-transfer-disabled.json
similarity index 84%
rename from rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-https-traffic-enabled.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-secure-transfer-disabled.json
index ffde915c..5bab320e 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-https-traffic-enabled.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-secure-transfer-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Storage Accounts",
"serviceName": "Storage",
- "displayName": "Enable the Secure transfer option",
- "description": "Consider to enable the Secure transfer option in all storage accounts. The Secure transfer option enhances the security of storage accounts by only allowing requests to the accounts from secure connections. By default, the Secure transfer option is disabled when the storage account is created with SDK. This option is enabled by default when the storage account is created in Azure Portal.",
+ "displayName": "Ensure that 'Secure transfer required' is set to 'Enabled'",
+ "description": "Enable data encryption in transit.",
"rationale": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when \u0027secure transfer required\u0027 is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage does not support HTTPS for custom domain names, this option is not applied when using a custom domain name.",
"impact": null,
"remediation": {
@@ -30,8 +30,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.1"
+ "version": "3.0.0",
+ "reference": "4.1",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -83,17 +84,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"CreationTime",
"supportsHttpsTrafficOnly"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -118,7 +121,7 @@
"onlyStatus": false
}
},
- "idSuffix": "storage_accounts_https_traffic_disabled",
+ "idSuffix": "storage_accounts_secure_transfer_disabled",
"notes": [
],
@@ -126,3 +129,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-soft-delete-for-containers-and-blob-disabled.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-soft-delete-for-containers-and-blob-disabled.json
new file mode 100644
index 00000000..ff2e42d0
--- /dev/null
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-soft-delete-for-containers-and-blob-disabled.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Storage Accounts",
+ "serviceName": "Storage",
+ "displayName": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage",
+ "description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.",
+ "rationale": 'Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies", ranging from 7 days to 365 days.',
+ "impact": "Additional storage costs may be incurred as snapshots are retained.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. Go to Storage Accounts.
+ 2. For each Storage Account, under Data management, go to Data protection.
+ 3. Check the box next to Enable soft delete for blobs.
+ 4. Check the box next to Enable soft delete for containers.
+ 5. Set the retention period for both to a sufficient length for your organization.
+ 6. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.10",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "storage_accounts_soft_delete_containers_and_blob_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-trusted-ms-services-bypass.json b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-trusted-ms-services-bypass.json
similarity index 60%
rename from rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-trusted-ms-services-bypass.json
rename to rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-trusted-ms-services-bypass.json
index a4f41866..28652097 100644
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-trusted-ms-services-bypass.json
+++ b/rules/findings/Azure/Storage Account/CIS3.0/azure-storage-accounts-trusted-ms-services-bypass.json
@@ -1,14 +1,18 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Storage Accounts",
"serviceName": "Storage",
- "displayName": "Allow the set of trusted Microsoft services to bypass the network rules",
- "description": "Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling \"Trusted Microsoft Services\" through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.",
+ "displayName": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access",
+ "description": "
+ *NOTE*: This recommendation assumes that the Public network access parameter is set to Enabled from selected virtual networks and IP addresses. Please ensure the prerequisite recommendation has been implemented before proceeding:
+ * Ensure Default Network Access Rule for Storage Accounts is Set to Deny
+ Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling \"Trusted Microsoft Services\" through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.
+ ",
"rationale": "Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling `Trusted Microsoft Services` through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.",
- "impact": null,
+ "impact": "This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request. There may be a temporary loss of communication as you set each Storage Account. It is recommended to not do this on mission-critical resources during business hours.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. For each storage account, Click on the settings menu called `Firewalls` and `virtual networks`.\r\n\t\t\t\t\t3. Ensure that you have elected to allow access from `Selected networks`.\r\n\t\t\t\t\t4. Enable check box for `Allow trusted Microsoft services to access this storage account`.\r\n\t\t\t\t\t5. Click Save to apply your changes",
"code": {
@@ -27,8 +31,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.7"
+ "version": "3.0.0",
+ "reference": "4.8",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -80,17 +85,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"CreationTime",
"AllowAzureServices"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -123,3 +130,4 @@
]
}
+
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-access-all-networks.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-access-all-networks.json
deleted file mode 100644
index 99f1cf2c..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-access-all-networks.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Storage account access from all networks",
- "description": "Azure Storage provides a layered security model. This model enables administrators to secure storage accounts to a specific subset of networks. An administrator can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.",
- "rationale": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.",
- "impact": null,
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. For each storage account, Click on the `settings` menu called `Firewalls` and `virtual networks`.\r\n\t\t\t\t\t3. Ensure that you have selected to allow access from `selected networks`.\r\n\t\t\t\t\t4. Add rules to `allow traffic` from specific network.\r\n\t\t\t\t\t5. Click Save to apply your changes",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.6"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "AllowAccessFromAllNetworks",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "CreationTime": "Creation Time",
- "location": "Location",
- "AllowAccessFromAllNetworks": "Allow Access from all networks"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "CreationTime",
- "AllowAccessFromAllNetworks"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_all_networks",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-data-protection-missing.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-data-protection-missing.json
deleted file mode 100644
index 9a2d8f09..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-data-protection-missing.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Ensure soft delete is enabled for Azure Storage",
- "description": "The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. \r\n\t\t\t\t\tIt is recommended the Azure Storage be made recoverable by enabling **soft delete** configuration. This is to save and recover data when blobs or blob snapshots are deleted.",
-"rationale": "There could be scenarios where users accidentally run delete commands on Azure Storage blobs or blob snapshot or attacker/malicious user does it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss / non-accessible data. \r\n\t\t\t\t There is a property of Azure Storage blob service to make recoverable blobs.\r\n\t\t\t\t \r\n\t\t\t\t * Soft Delete\r\n\t\t\t\t Enabling this configuration for azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects remain recoverable for a particular time which set in the `Retention policies` [Retention policies can be 7 days to 365 days]",
- "impact": null,
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. For each Storage Account, navigate to `Data Protection`\r\n\t\t\t\t\t3. Select set soft delete enabled and enter a number of days you want to retain soft deleted data.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.8"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "dataProtection.properties.deleteRetentionPolicy.enabled",
- "eq",
- "False"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "location": "Location",
- "ResourceGroupName": "ResourceGroupName",
- "dataProtection.properties.deleteRetentionPolicy.enabled": "SoftDelete Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "dataProtection"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_missing_blob_data_protection",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-logging-disabled.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-logging-disabled.json
deleted file mode 100644
index 2967b03a..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-blob-logging-disabled.json
+++ /dev/null
@@ -1,136 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Ensure Storage logging is enabled for Blob service for read, write, and delete requests",
- "description": "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.",
- "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.",
- "impact": "Enabling storage account blob service logging does have a cost implication.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. Select the specific `Storage Account`.\r\n\t\t\t\t\t3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\r\n\t\t\t\t\t4. Set the Status to `On`, if set to `Off`.\r\n\t\t\t\t\t5. Select `Blob` properties.\r\n\t\t\t\t\t6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Blob service.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
- "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.10"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "diagnosticSettings.blob.logging.read",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.blob.logging.write",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.blob.logging.delete",
- "eq",
- "False"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "ResourceGroupName": "ResourceGroupName",
- "diagnosticSettings.blob.logging.read": "Read Enabled",
- "diagnosticSettings.blob.logging.write": "Write Enabled",
- "diagnosticSettings.blob.logging.delete": "Delete Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "diagnosticSettings"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_missing_blob_logging",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-public-access-level.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-public-access-level.json
deleted file mode 100644
index 8e3e25e7..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-public-access-level.json
+++ /dev/null
@@ -1,127 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Disable anonymous read access to containers and blobs",
- "description": "Read access permission was enabled for blobs",
- "rationale": "Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.",
- "impact": "Access using shared access signatures will have to be managed.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. For each storage account, go to `Containers` under **blob service**\r\n\t\t\t\t\t3. For each container, click `Access policy`\r\n\t\t\t\t\t4. Set `Public access level` to `Private (no anonymous access)`\r\n\t\t\t\t\t5. For each storage account, go to `Allow Blob public access` in Configuration\r\n\t\t\t\t\t6. Set `Disabled` if no anonymous access is needed on the storage account",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide",
- "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources",
- "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "properties.allowBlobPublicAccess",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "location": "Location",
- "ResourceGroupName": "ResourceGroupName",
- "properties.allowBlobPublicAccess": "Public Access"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "CreationTime",
- "properties.allowBlobPublicAccess"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_anonymous_access_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-queue-logging-disabled.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-queue-logging-disabled.json
deleted file mode 100644
index d95394d0..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-queue-logging-disabled.json
+++ /dev/null
@@ -1,136 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Ensure Storage logging is enabled for Queue service for read, write, and delete requests",
- "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response message.",
- "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. \r\n\t\t\t\t Storage Analytics logging is not enabled by default for storage account.",
- "impact": "",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. Select the specific `Storage Account`.\r\n\t\t\t\t\t3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\r\n\t\t\t\t\t4. Set the Status to `On`, if set to `Off`.\r\n\t\t\t\t\t5. Select `Queue` properties.\r\n\t\t\t\t\t6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Queue service.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
- "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "diagnosticSettings.queue.logging.read",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.queue.logging.write",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.queue.logging.delete",
- "eq",
- "False"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "ResourceGroupName": "ResourceGroupName",
- "diagnosticSettings.queue.logging.read": "Read Enabled",
- "diagnosticSettings.queue.logging.write": "Write Enabled",
- "diagnosticSettings.queue.logging.delete": "Delete Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "diagnosticSettings"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_missing_queue_logging",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-table-logging-disabled.json b/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-table-logging-disabled.json
deleted file mode 100644
index dc87ec3d..00000000
--- a/rules/findings/Azure/Storage Accounts/CIS1.4/azure-storage-accounts-table-logging-disabled.json
+++ /dev/null
@@ -1,136 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Storage Accounts",
- "serviceName": "Storage",
- "displayName": "Ensure Storage logging is enabled for Table service for read, write, and delete requests",
- "description": "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.",
- "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.",
- "impact": "Enabling storage account blob service logging does have a cost implication.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Storage Accounts`.\r\n\t\t\t\t\t2. Select the specific `Storage Account`.\r\n\t\t\t\t\t3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\r\n\t\t\t\t\t4. Set the Status to `On`, if set to `Off`.\r\n\t\t\t\t\t5. Select `Table` properties.\r\n\t\t\t\t\t6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Table service.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
- "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.11"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_storage_accounts",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "diagnosticSettings.table.logging.read",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.table.logging.write",
- "eq",
- "False"
- ],
- [
- "diagnosticSettings.table.logging.delete",
- "eq",
- "False"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "name": "Name",
- "ResourceGroupName": "ResourceGroupName",
- "diagnosticSettings.blob.logging.read": "Read Enabled",
- "diagnosticSettings.blob.logging.write": "Write Enabled",
- "diagnosticSettings.blob.logging.delete": "Delete Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "name",
- "location",
- "ResourceGroupName",
- "diagnosticSettings"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "storage_accounts_missing_table_logging",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-asc-monitor-adaptive-application-disabled-alert.json b/rules/findings/Azure/Subscription/CIS1.4/azure-asc-monitor-adaptive-application-disabled-alert.json
deleted file mode 100644
index 1ef44407..00000000
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-asc-monitor-adaptive-application-disabled-alert.json
+++ /dev/null
@@ -1,129 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Subscription Policies",
- "serviceName": "Subscription",
- "displayName": "Enable _ARG_1_ in Microsoft Defender for Cloud Default policy",
- "description": "_ARG_1_ alert was not enabled at subscription level.",
- "rationale": "A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Microsoft Defender for Cloud provides ability to monitor all of the supported recommendations and allow automated action optionally for few of the supported recommendations.",
- "impact": null,
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Navigate to `Azure Policy`\r\n\t\t\t\t\t2. On Policy \"Overview\" blade, Click on Policy `ASC Default (Subscription:Subscription_ID)`\r\n\t\t\t\t\t3. On \"ASC Default\" blade, Click on `Edit Assignments`\r\n\t\t\t\t\t4. In section **parameters**, configure the impacted setting to any other available value than `Disabled` or `empty`\r\n\t\t\t\t\t5. Click Save",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies",
- "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption",
- "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
- "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
- "https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/get",
- "https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/create",
- "https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.12"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_asc_builtin_policies",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "PolicyName",
- "eq",
- "_ARG_0_"
- ],
- [
- "Status",
- "eq",
- "Disabled"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "adaptive_app_whitelist_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-mail-disabled.json b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-additional-email-not-configured.json
similarity index 77%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-mail-disabled.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-additional-email-not-configured.json
index ec8b7580..37f30159 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-mail-disabled.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-additional-email-not-configured.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Provide a security contact email address",
- "description": "Microsoft Defender for Cloud best practices recommend that security contact details for the affected Azure subscription should be added. This information will be used by Microsoft to contact subscription\u0027s owner if the Microsoft Security Response Center (MSRC) discovers that the subscription data has potentially been accessed by an unlawful or unauthorized party.",
- "rationale": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact\u0027s email address to the \u0027Additional email addresses\u0027 field ensures that your organization\u0027s Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
+ "displayName": "Ensure 'Additional email addresses' is Configured with a Security Contact Email",
+ "description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
+ "rationale": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
"impact": null,
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Navigate to `Microsoft Defender for Cloud`\r\n\t\t\t\t\t2. Click on Pricing \u0026 settings\r\n\t\t\t\t\t3. Click on the appropriate Management Group, Subscription, or Workspace\r\n\t\t\t\t\t4. Click on `Email notifications`\r\n\t\t\t\t\t5. Enter a valid security contact email address (or multiple addresses separated by\tcommas) in the `Additional email addresses` field\r\n\t\t\t\t\t6. Click Save",
@@ -28,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.13"
+ "version": "3.0.0",
+ "reference": "3.1.13",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -82,11 +83,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -119,3 +124,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-high-alerts-disabled.json b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-high-alerts-disabled.json
similarity index 91%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-high-alerts-disabled.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-high-alerts-disabled.json
index 64f4fc99..a531e606 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-high-alerts-disabled.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-high-alerts-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Ensure That \u0027Notify about alerts with the following severity\u0027 is Set to \u0027High\u0027",
+ "displayName": "Ensure That 'Notify about alerts with the following severity' is Set to 'High'",
"description": "Enables emailing security alerts to the subscription owner or other designated security contact.",
"rationale": "Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.",
"impact": null,
@@ -28,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.14"
+ "version": "3.0.0",
+ "reference": "3.1.14",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -88,11 +89,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -125,3 +130,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-to-owners-disabled.json b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-to-owners-disabled.json
similarity index 86%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-to-owners-disabled.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-to-owners-disabled.json
index b43ae28d..25a066cb 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-security-contact-send-email-to-owners-disabled.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-security-contact-send-email-to-owners-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Enable security alert emails to subscription owners",
- "description": "Microsoft Defender for Cloud best practices recommend that security contact details for the affected Azure subscription should be added. This information will be used by Microsoft to contact subscription\u0027s owner if the Microsoft Security Response Center (MSRC) discovers that the subscription data has potentially been accessed by an unlawful or unauthorized party.",
+ "displayName": "Ensure That 'All users with the following roles' is set to 'Owner'",
+ "description": "Enable security alert emails to subscription owners.",
"rationale": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
"impact": null,
"remediation": {
@@ -28,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.15"
+ "version": "3.0.0",
+ "reference": "3.1.12",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -106,11 +107,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -143,3 +148,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-custom-role-excessive-permissions.json b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-custom-role-excessive-permissions.json
similarity index 77%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-subscription-custom-role-excessive-permissions.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-subscription-custom-role-excessive-permissions.json
index eb87a727..214e41e5 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-custom-role-excessive-permissions.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-custom-role-excessive-permissions.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Ensure that no custom owner roles are created",
- "description": "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
- "rationale": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.",
- "impact": null,
+ "displayName": "Ensure That No Custom Subscription Administrator Roles Exist",
+ "description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
+ "rationale": "Custom roles in Azure with administrative access can obfuscate the permissions granted and introduce complexity and blind spots to the management of privileged identities. For less mature security programs without regular identity audits, the creation of Custom roles should be avoided entirely. For more mature security programs with regular identity audits, Custom Roles should be audited for use and assignment, used minimally, and the principle of least privilege should be observed when granting permissions.",
+ "impact": "Subscriptions will need to be handled by Administrators with permissions. ",
"remediation": {
"text": "###### Using Azure Command Line Interface 2.0\r\n\t\t\t\t\t`az role definition list`\r\n\t\t\t\t\tCheck for entries with `assignableScope` of **/** or a `subscription`, and an action of `*`. \r\n\t\t\t\t\tVerify the usage and impact of removing the role identified:\r\n\t\t\t\t\t`az role definition delete --name \u0027rolename\u0027`",
"code": {
@@ -33,8 +33,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.20"
+ "version": "3.0.0",
+ "reference": "2.2.3",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -90,13 +91,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -129,3 +132,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-custom-lock-role.json b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-custom-lock-role.json
similarity index 93%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-custom-lock-role.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-custom-lock-role.json
index 271a1a5f..67ec85c3 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-custom-lock-role.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-custom-lock-role.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Ensure Custom Role is assigned for Administering Resource Locks",
+ "displayName": "Ensure Custom Role is Assigned Permissions for Administering Resource Locks",
"description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.",
"rationale": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.",
"impact": "By adding this role is you can have specific permissions granted for managing just resource locks rather than needing to provide the wide owner or contributor role reducing the risk of the user being able to do unintentional damage.",
@@ -31,14 +31,15 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.22"
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.24",
+ "profile":"Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.22"
+ "CIS Microsoft Azure Foundations"
],
"rule": {
"path": "az_role_definitions",
@@ -91,13 +92,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -130,3 +133,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-lock.json b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-resource-locks.json
similarity index 83%
rename from rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-lock.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-resource-locks.json
index 06112eda..13d36a7d 100644
--- a/rules/findings/Azure/Subscription/CIS1.4/azure-subscription-missing-lock.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-missing-resource-locks.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -8,7 +8,7 @@
"displayName": "Ensure that Resource Locks are set for Mission Critical Azure Resources",
"description": "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.",
"rationale": "As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to CanNotDelete or ReadOnly to achieve this purpose.\r\n\t\t\t\t\t\r\n\t\t\t\t\t* `CanNotDelete` means authorized users can still read and modify a resource, but they can\u0027t delete the resource.\r\n\t\t\t\t\t* `ReadOnly` means authorized users can read a resource, but they can\u0027t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.",
- "impact": "",
+ "impact": "There can be unintended outcomes of locking a resource. Applying a lock to a parent service will cause it to be inherited by all resources within. Conversely, applying a lock to a resource may not apply to connected storage, leaving it unlocked. Please see the documentation for further information.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Navigate to the specific Azure Resource or Resource Group\r\n\t\t\t\t\t2. For each of the mission critical resource, click on `Locks`\r\n\t\t\t\t\t3. Click `Add`\r\n\t\t\t\t\t4. Give the lock a name and a description, then select the type, `CanNotDelete` or `ReadOnly` as appropriate\t\t\t\t\t\r\n\t\t\t\t\tAssign the newly created role to the appropriate user.",
"code": {
@@ -24,14 +24,15 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "8.5"
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "10.1",
+ "profile": "Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.4.0"
+ "CIS Microsoft Azure Foundations"
],
"rule": {
"path": "az_locks",
@@ -75,13 +76,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -106,7 +109,7 @@
"onlyStatus": false
}
},
- "idSuffix": "azure_subscription_missing_custom_lock_role",
+ "idSuffix": "azure_subscription_missing_resource_locks",
"notes": [
],
@@ -114,3 +117,4 @@
]
}
+
diff --git a/rules/findings/Azure/Subscription/CIS1.5/azure-subscription-permit-no-one-disabled.json b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-permit-no-one-disabled.json
similarity index 89%
rename from rules/findings/Azure/Subscription/CIS1.5/azure-subscription-permit-no-one-disabled.json
rename to rules/findings/Azure/Subscription/CIS3.0/azure-subscription-permit-no-one-disabled.json
index ef7b9325..ef0aa426 100644
--- a/rules/findings/Azure/Subscription/CIS1.5/azure-subscription-permit-no-one-disabled.json
+++ b/rules/findings/Azure/Subscription/CIS3.0/azure-subscription-permit-no-one-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Subscription Security",
"serviceName": "Subscription",
- "displayName": "Ensure That \u0027Subscription Entering AAD Directory\u0027 and \u0027Subscription Leaving AAD Directory\u0027 Is Set To \u0027Permit No One\u0027",
+ "displayName": "Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'",
"description": "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.",
"rationale": "Permissions to move subscriptions in and out of Microsoft Entra ID must only be given to appropriate administrative personnel. A subscription that is moved into an Microsoft Entra ID may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.",
"impact": "Subscriptions will need to have these settings turned off to be moved.",
@@ -27,14 +27,15 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.25"
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.25",
+ "profile":"Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.25"
+ "CIS Microsoft Azure Foundations"
],
"rule": {
"path": "az_subscription_policies",
@@ -94,13 +95,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -133,3 +136,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-critical-updates.json b/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-critical-updates.json
deleted file mode 100644
index 1b20a70f..00000000
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-critical-updates.json
+++ /dev/null
@@ -1,118 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure Virtual Machines",
- "serviceName": "Compute",
- "displayName": "Ensure that the latest Critical OS patches for all virtual machines are applied",
- "description": "The Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The Microsoft Defender for Cloud also checks for the latest updates in Linux systems. If a VM is missing a system update, the Microsoft Defender for Cloud will recommend system updates be applied.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates",
- "https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_vm_missing_patches",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "MSRCSeverity",
- "eq",
- "Critical"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "ServerName": "Server Name",
- "Title": "Title",
- "MSRCSeverity": "Severity",
- "KBID": "KBID"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_vm_missing_critical_updates",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-moderate-updates.json b/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-moderate-updates.json
deleted file mode 100644
index 91d9d85c..00000000
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-missing-moderate-updates.json
+++ /dev/null
@@ -1,117 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Azure",
- "serviceType": "Azure Virtual Machines",
- "serviceName": "Compute",
- "displayName": "Ensure that the latest moderate OS patches for all virtual machines are applied",
- "description": "The Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The Microsoft Defender for Cloud also checks for the latest updates in Linux systems. If a VM is missing a system update, the Microsoft Defender for Cloud will recommend system updates be applied.",
- "rationale": null,
- "impact": null,
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates",
- "https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "az_vm_missing_patches",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "MSRCSeverity",
- "eq",
- "Moderate"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "azure_vm_missing_moderate_updates",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Azure/Virtual Machines/CIS3.0/azure-data-access-authentication-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-data-access-authentication-disabled.json
new file mode 100644
index 00000000..aabc608f
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-data-access-authentication-disabled.json
@@ -0,0 +1,101 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure Disks",
+ "serviceName": "Compute",
+ "displayName": "Ensure that 'Enable Data Access Authentication Mode' is 'Checked'",
+ "description": "Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.",
+ "rationale": "Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state. Users will need the Data operator for managed disk role within Entra ID in order to download a VHD or VM Guest state using a secure URL.",
+ "impact": "In order to apply this setting, the virtual machine to which the disk or disks are attached will need to be powered down and have their disk detached. Users without the Data operator for managed disk role within Entra ID will not be able to export VHD or VM Guest state using the secure download URL.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/download-vhd?tabs=azure-portal#secure-downloads-and-uploads-with-microsoft-entra-id"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.6",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "disk_data_access_authentication_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS3.0/azure-disk-network-access-allow-public-access.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-disk-network-access-allow-public-access.json
new file mode 100644
index 00000000..c1ae087a
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-disk-network-access-allow-public-access.json
@@ -0,0 +1,106 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure Disks",
+ "serviceName": "Compute",
+ "displayName": "Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'",
+ "description": "Virtual Machine Disks and snapshots can be configured to allow access from different network resources.",
+ "rationale": "The setting 'Enable public access from all networks' is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors. If a disk to network connection is required, the preferred setting is to `Disable public access and enable private access`.",
+ "impact": "
+ The setting `Disable public access and enable private access` will require configuring a private link (URL in references below).
+ The setting `Disable public and private access` is most secure and preferred where disk network access is not needed.
+ ",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-private-links-for-import-export-portal",
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-export-import-private-links-cli",
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/disks-restrict-import-export-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.5",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "disk_network_access_allow_all_networks",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS3.0/azure-identities-with-access-to-privileged-vm-lacking-mfa.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-identities-with-access-to-privileged-vm-lacking-mfa.json
new file mode 100644
index 00000000..66ea1b63
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-identities-with-access-to-privileged-vm-lacking-mfa.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure Virtual Machines",
+ "serviceName": "Compute",
+ "displayName": "Ensure only MFA enabled identities can access privileged Virtual Machine",
+ "description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal.",
+ "rationale": "
+ Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
+ An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.
+ ",
+ "impact": "
+ This recommendation requires the Entra ID P2 license to implement.
+
+ Ensure that identities that are provisioned to a virtual machine utilizes an RBAC/ABAC group and is allocated a role using Azure PIM, and the Role settings require MFA or use another third-party PAM solution for accessing Virtual Machines.
+ ",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.10",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ "Legacy"
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_identities_accessing_vm_lacking_mfa",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-disk-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-disk-encryption-disabled.json
similarity index 77%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-disk-encryption-disabled.json
rename to rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-disk-encryption-disabled.json
index 6f8c4cf4..189cf50d 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-disk-encryption-disabled.json
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-disk-encryption-disabled.json
@@ -1,12 +1,15 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Azure Disks",
"serviceName": "Storage",
- "displayName": "Enable Disk encryption recommendations for OS disks",
- "description": "Ensure that OS disks (boot volumes) are encrypted, where possible. Encrypting the IaaS VM\u0027s OS disk (boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Microsoft Defender for Cloud would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD\u0027s.",
+ "displayName": "Ensure that VHDs are Encrypted",
+ "description": "
+ *NOTE* : This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.
+ VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.
+ ",
"rationale": "While it is recommended to use managed disks that are encrypted by default, `legacy` disk that may for a number of reasons need to be left as VHD\u0027s should also be encrypted to protect the data content. These `legacy` VHD\u0027s are not encrypted by default",
"impact": "Depending on how the encryption is implemented will change the size of the impact, if provider managed keys (PMK) are utilised the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer managed keys (CMK) are utilised a key management process needs to be implemented to store and manage key rotation and thus the impact is medium to high depending on user maturity with key management.",
"remediation": {
@@ -26,13 +29,14 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.7"
+ "version": "3.0.0",
+ "reference": "8.9",
+ "profile": "Level 2"
}
],
"level": "medium",
"tags": [
-
+ "Legacy"
],
"rule": {
"path": "az_managed_disks",
@@ -86,17 +90,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"skuname",
"properties.osType",
"os_disk_encryption"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -129,3 +135,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-managed-disk-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-managed-disk-disabled.json
similarity index 61%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-managed-disk-disabled.json
rename to rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-managed-disk-disabled.json
index 1de2d813..2ebbfcb7 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-os-managed-disk-disabled.json
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-os-managed-disk-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,9 +6,17 @@
"serviceType": "Azure Virtual Machines",
"serviceName": "Compute",
"displayName": "Ensure Virtual Machines are utilizing Managed Disks",
- "description": "Migrate BLOB based VHD\u0027s to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:\r\n\t\t\t\t\t1. Default Disk Encryption\r\n\t\t\t\t\t2. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty\r\n\t\t\t\t\t3. Reduction of costs over storage accounts",
- "rationale": "Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.\r\n\t\t\t\t\tFor ARM deployed Virtual Machines, Azure Adviser will at some point recommend moving VHD\u0027s to managed disks both from a security and cost management perspective.",
- "impact": "There is no operational impact of migrating to managed disks other than the benefits mentioned above.\r\n\t\t\t\t**NOTE** When converting to managed disks VMs will be powered off and back on.",
+ "description": "
+ Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:
+ 1. Default Disk Encryption
+ 2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
+ 3. Reduction of costs over storage accounts
+ ",
+ "rationale": "
+ Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.
+ For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.
+ ",
+ "impact": "There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Using the search feature, go to `Virtual Machines`\r\n\t\t\t\t\t2. Select the virtual machine you would like to convert\r\n\t\t\t\t\t3. Select `Disks` in the menu for the VM\r\n\t\t\t\t\t4. At the top select `Migrate to managed disks`\r\n\t\t\t\t\t5. You may follow the prompts to convert the disk and finish by selecting `Migrate` to start the process\r\n\t\t\t\t\t\r\n\t\t\t\t\t**NOTE** VMs will be stopped and restarted after migration is complete.",
"code": {
@@ -20,14 +28,17 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview",
- "https://docs.microsoft.com/en-us/azure/governance/policy/overview"
+ "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default",
+ "https://docs.microsoft.com/en-us/azure/virtual-machines/faq-for-disks",
+ "https://azure.microsoft.com/en-us/pricing/details/managed-disks/"
],
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.1"
+ "version": "3.0.0",
+ "reference": "8.2",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -78,16 +89,18 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"tags",
"osDisk"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -120,3 +133,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-unattached-disk-sse-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-unattached-disk-cmk-encryption-disabled.json
similarity index 88%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-unattached-disk-sse-encryption-disabled.json
rename to rules/findings/Azure/Virtual Machines/CIS3.0/azure-unattached-disk-cmk-encryption-disabled.json
index b58db09c..28812de0 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-unattached-disk-sse-encryption-disabled.json
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-unattached-disk-cmk-encryption-disabled.json
@@ -1,14 +1,17 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Azure Disks",
"serviceName": "Compute",
- "displayName": "Ensure that unassigned disks are encrypted with customer managed keys",
+ "displayName": "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)",
"description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).",
"rationale": "Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization\u0027s regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.",
- "impact": "Encryption is available only on Standard tier VMs. This might cost you more.\r\n\t\t\t\tUtilizing and maintaining Customer-managed keys will require additional work to created, protect, and rotate keys.",
+ "impact": "
+ *NOTE* : You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more.
+ Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.
+ ",
"remediation": {
"text": "If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:\r\n\t\t\t\t\t* https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\r\n\t\t\t\t\t* https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\r\n\t\t\t\t\tIf data stored in the disk is important, To encrypt the disk refer azure documentation at:\r\n\t\t\t\t\t* https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\r\n\t\t\t\t\t* https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings",
"code": {
@@ -31,8 +34,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.3"
+ "version": "3.0.0",
+ "reference": "8.4",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -91,17 +95,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"skuname",
"properties.osType",
"sse_encryption"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -134,3 +140,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-approved-extensions.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-approved-extensions.json
similarity index 91%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-approved-extensions.json
rename to rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-approved-extensions.json
index 81b1fa3e..8181bed6 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-approved-extensions.json
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-approved-extensions.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,7 @@
"serviceType": "Azure Virtual Machines",
"serviceName": "Compute",
"displayName": "Ensure that only approved extensions are installed",
- "description": "Only install organization-approved extensions on VMs.",
+ "description": "For added security, only install organization-approved extensions on VMs.",
"rationale": "Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.",
"impact": "",
"remediation": {
@@ -26,8 +26,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.4"
+ "version": "3.0.0",
+ "reference": "8.7",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -78,17 +79,19 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"ResourceGroupName",
"isAVAgentInstalled",
"resources"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -121,3 +124,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-endpoint-protection-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-endpoint-protection-disabled.json
new file mode 100644
index 00000000..b10ca77b
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-endpoint-protection-disabled.json
@@ -0,0 +1,127 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure Virtual Machines",
+ "serviceName": "Compute",
+ "displayName": "Ensure that Endpoint Protection for all Virtual Machines is installed",
+ "description": "Install endpoint protection for all virtual machines.",
+ "rationale": "Installing endpoint protection systems (like anti-malware for Azure) provides for real time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.",
+ "impact": "Endpoint protection will incur an additional cost to you.",
+ "remediation": {
+ "text": "Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection",
+ "https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware",
+ "https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az_vm_extension_list",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.8",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "az_virtual_machines",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "isAVAgentInstalled",
+ "eq",
+ "false"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+ "name": "Disk Name",
+ "localNic.localIpAddress": "Local IP Address",
+ "location": "Location",
+ "osDisk.isEncrypted": "OS disk encryption",
+ "isAVAgentInstalled": "Antimalware agent installed"
+ },
+ "expandObject": null
+ },
+ "table": "asList",
+ "decorate": [
+
+ ],
+ "emphasis": [
+ "Antimalware agent installed"
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": null,
+ "showModalButton": null,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "az_vm_endpoint_protection_not_installed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-os-data-sse-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-os-data-cmk-encryption-disabled.json
similarity index 72%
rename from rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-os-data-sse-encryption-disabled.json
rename to rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-os-data-cmk-encryption-disabled.json
index 5a34af6f..bbe038f9 100644
--- a/rules/findings/Azure/Virtual Machines/CIS1.4/azure-vm-os-data-sse-encryption-disabled.json
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-os-data-cmk-encryption-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Azure",
"serviceType": "Azure Virtual Machines",
"serviceName": "Compute",
- "displayName": "Ensure that OS and Data disks are encrypted with customer managed keys",
- "description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.",
- "rationale": "Encrypting the IaaS VM\u0027s OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.",
+ "displayName": "Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)",
+ "description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).",
+ "rationale": "Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.",
"impact": "Using CMK/BYOK will entail additional management of keys.\r\n\t\t\t\t**NOTE**: You must have your key vault setup to utilize this.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t**Note**: Disks must be detached from VMs to have encryption changed.\r\n\t\t\t\t\t1. Go to `Virtual machines`\r\n\t\t\t\t\t2. For each virtual machine, go to `Settings`\r\n\t\t\t\t\t3. Click on `Disks`\r\n\t\t\t\t\t4. Click the `X` to detach the disk from the VM\r\n\t\t\t\t\t5. Now search for `Disks` and locate the unattached disk\r\n\t\t\t\t\t6. Click the disk then select `Encryption`\r\n\t\t\t\t\t7. Change your encryption type, then select your encryption set\r\n\t\t\t\t\t8. Click `Save`\r\n\t\t\t\t\t9. Go back to the VM and re-attach the disk",
@@ -32,8 +32,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.2"
+ "version": "3.0.0",
+ "reference": "8.3",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -95,15 +96,17 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"name",
"location",
"os_sse_encryption"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -136,3 +139,4 @@
]
}
+
diff --git a/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-trusted-launch-disabled.json b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-trusted-launch-disabled.json
new file mode 100644
index 00000000..d0e18782
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/CIS3.0/azure-vm-trusted-launch-disabled.json
@@ -0,0 +1,106 @@
+{
+ "args": [
+
+ ],
+ "provider": "Azure",
+ "serviceType": "Azure Virtual Machines",
+ "serviceName": "Compute",
+ "displayName": "Ensure Trusted Launch is enabled on Virtual Machines",
+ "description": "When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.",
+ "rationale": "Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.",
+ "impact": "
+ Secure Boot and vTPM are not currently supported for Azure Generation 1 VMs.
+ *IMPORTANT* : Before enabling Secure Boot and vTPM on a Generation 2 VM which does not already have both enabled, it is highly recommended to create a restore point of the VM prior to remediation.
+ ",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal",
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal#enable-trusted-launch-on-existing-vm",
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.11",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ "Legacy"
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "azure_vm_trusted_launch_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Users/CIS1.5/azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access-trusted-publishers-disabled.json
similarity index 85%
rename from rules/findings/EntraId/Users/CIS1.5/azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json
rename to rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access-trusted-publishers-disabled.json
index 7b813266..258bc552 100644
--- a/rules/findings/EntraId/Users/CIS1.5/azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json
+++ b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access-trusted-publishers-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure That \u0027Users Can Consent to Apps Accessing Company Data on Their Behalf Is Set To \u0027Allow for Verified Publishers\u0027",
+ "displayName": "Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'",
"description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.",
- "rationale": "Unless Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
+ "rationale": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.",
"impact": "Enforcing this setting may create additional requests that administrators need to fulfill quite often.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t\t4. Click on `Manage how end users launch and view their applications`\r\n\t\t\t\t\t\t5. Click on `Consent and Permissions`\r\n\t\t\t\t\t\t6. Set ` Allow user consent for apps from verified publishers, for selected permissions`\r\n\t\t\t\t\t\t7. Click on `Save`",
@@ -34,8 +34,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.11"
+ "version": "3.0.0",
+ "reference": "2.13",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -90,13 +91,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -121,7 +124,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_require_trusted_publisher_apps",
+ "idSuffix": "eid_allow_consent_apps_from_trusted_publishers",
"notes": [
],
@@ -129,3 +132,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-consent-apps-data-access.json b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access.json
similarity index 80%
rename from rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-consent-apps-data-access.json
rename to rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access.json
index 8a4d0971..0c12d4e3 100644
--- a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-consent-apps-data-access.json
+++ b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Users can consent to apps accessing company data on their behalf\u0027 is set to \u0027No\u0027",
- "description": "Consider to prevent regular users from consenting to applications on their own behalf. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.",
- "rationale": "Unless Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
- "impact": "It might be an additional request that administrators need to fulfill quite often.",
+ "displayName": "Ensure 'User consent for applications' is set to 'Do not allow user consent'",
+ "description": "Require administrators to provide consent for applications before use.",
+ "rationale": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.",
+ "impact": "Enforcing this setting may create additional requests that administrators need to review.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t\t4. Click on `Manage how end users launch and view their applications`\r\n\t\t\t\t\t\t4. Set ` Users can consent to apps accessing company data on their behalf` to `No`",
"code": {
@@ -34,8 +34,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.1.0",
- "reference": "1.9"
+ "version": "3.0.0",
+ "reference": "2.12",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -86,11 +87,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -123,3 +128,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-register-apps-enabled.json b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-register-apps-enabled.json
similarity index 81%
rename from rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-register-apps-enabled.json
rename to rules/findings/EntraID/Applications/CIS3.0/eid-users-can-register-apps-enabled.json
index 726e1852..7a2d6f41 100644
--- a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-register-apps-enabled.json
+++ b/rules/findings/EntraID/Applications/CIS3.0/eid-users-can-register-apps-enabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Users can register applications\u0027 is set to \u0027No\u0027",
- "description": "Consider to require that only administrators can register third-party applications.",
- "rationale": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data to the application.",
- "impact": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator.",
+ "displayName": "Ensure That 'Users Can Register Applications' Is Set to 'No'",
+ "description": "Require administrators or appropriately delegated users to register third-party applications.",
+ "rationale": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.",
+ "impact": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t4. Ensure that `Users can register applications` is set to `No`",
"code": {
@@ -31,8 +31,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.11"
+ "version": "3.0.0",
+ "reference": "2.14",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -84,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -121,3 +126,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Applications/CIS3.1/eid-admin-consent-workflow-not-enabled.json b/rules/findings/EntraID/Applications/CIS3.1/eid-admin-consent-workflow-not-enabled.json
new file mode 100644
index 00000000..bc24cbd0
--- /dev/null
+++ b/rules/findings/EntraID/Applications/CIS3.1/eid-admin-consent-workflow-not-enabled.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Applications",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure the admin consent workflow is enabled",
+ "description": "The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.",
+ "rationale": "The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.",
+ "impact": "To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.",
+ "remediation": {
+ "text": "
+ ###### To enable the admin consent workflow, use the Microsoft 365 Admin Center:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Identity > Applications select Enterprise applications.
+ 3. Under Security select Consent and permissions.
+ 4. Under Manage select Admin consent settings.
+ 5. Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests.
+ 6. Under the Reviewers choose the Roles and Groups that will review user generated app consent requests.
+ 7. Set Selected users will receive email notifications for requests to Yes
+ 8. Select Save at the top of the window.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.5.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the admin consent workflow is enabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_admin_consent_workflow_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-admin-portals-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-admin-portals-missing-cap.json
new file mode 100644
index 00000000..d446ffdc
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-admin-portals-missing-cap.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals",
+ "description": "This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multi-factor authentication (MFA) credentials when logging into an Admin Portal.",
+ "rationale": '
+ Administrative Portals for Microsoft Azure should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multi-factor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings.
+ *IMPORTANT:* While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access Admin Portals.
+ ',
+ "impact": "Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional overhead to maintain if users lose access to their MFA. Any users or groups which are granted an exception to this policy should be carefully tracked, be granted only minimal necessary privileges, and conditional access exceptions should be reviewed or investigated.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
+ "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
+ "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
+ "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.2.9"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "isManual":"true",
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+ "displayName": "Name",
+ "state": "Status",
+ "conditions.applications.includeApplications": "Applications",
+ "conditions.users.includeRoles": "Users",
+ "grantControls.operator": "Operator",
+ "grantControls.builtInControls": "BuiltIn Controls"
+ },
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ "displayName"
+ ],
+ "message": "The {displayName} policy is not configured to require MFA for Azure Management",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_cap_admin_portals_missing",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-azure-management-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-azure-management-missing-cap.json
similarity index 96%
rename from rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-azure-management-missing-cap.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-azure-management-missing-cap.json
index a08bb962..50394d74 100644
--- a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-azure-management-missing-cap.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-azure-management-missing-cap.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -29,8 +29,8 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.2.6"
+ "version": "3.0.0",
+ "reference": "2.2.7"
}
],
"level": "medium",
@@ -120,13 +120,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -159,3 +161,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-high-privileged-users-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-high-privileged-users-missing-cap.json
similarity index 95%
rename from rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-high-privileged-users-missing-cap.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-high-privileged-users-missing-cap.json
index 3f152bfe..c2afc38c 100644
--- a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-high-privileged-users-missing-cap.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-high-privileged-users-missing-cap.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.2.3"
+ "version": "3.0.0",
+ "reference": "2.2.4",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -118,13 +119,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -157,3 +160,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-risky-signs-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-risky-signs-missing-cap.json
similarity index 95%
rename from rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-risky-signs-missing-cap.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-risky-signs-missing-cap.json
index 0ca9ef71..4587428d 100644
--- a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-risky-signs-missing-cap.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-risky-signs-missing-cap.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -29,8 +29,8 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.2.5"
+ "version": "3.0.0",
+ "reference": "2.2.6"
}
],
"level": "medium",
@@ -131,7 +131,7 @@
"state": "Status",
"conditions.applications.includeApplications": "Applications",
"conditions.users.includeUsers": "Users",
- "conditions.signInRiskLevels": "signIn Risk Levels",
+ "conditions.signInRiskLevels": "signIn Risk Levels",
"grantControls.operator": "Operator",
"grantControls.builtInControls": "BuiltIn Controls"
},
@@ -146,13 +146,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -185,3 +187,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-users-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-users-missing-cap.json
similarity index 94%
rename from rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-users-missing-cap.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-users-missing-cap.json
index 4f0b2ef4..7232a593 100644
--- a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-ensure-mfa-for-users-missing-cap.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-ensure-mfa-for-users-missing-cap.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -29,8 +29,8 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.2.4"
+ "version": "3.0.0",
+ "reference": "2.2.5"
}
],
"level": "medium",
@@ -101,7 +101,7 @@
"state": "Status",
"conditions.applications.includeApplications": "Applications",
"conditions.users.includeUsers": "Users",
- "conditions.userRiskLevels": "User Risk Levels",
+ "conditions.userRiskLevels": "User Risk Levels",
"grantControls.operator": "Operator",
"grantControls.builtInControls": "BuiltIn Controls"
},
@@ -116,13 +116,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -155,3 +157,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-exclusionary-device-code-flow-disabled.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-exclusionary-device-code-flow-disabled.json
new file mode 100644
index 00000000..2e1108f6
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/eid-exclusionary-device-code-flow-disabled.json
@@ -0,0 +1,109 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that an exclusionary Device code flow policy is considered",
+ "description": "
+ Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users that regularly perform duties that explicitly require the use of Device Code to authenticate, such as utilizing Azure with PowerShell.
+ ",
+ "rationale": '
+ Attackers use Device code flow in phishing attacks and, if successful, results in the attacker gaining access tokens and refresh tokens which are scoped to "user_impersonation", which can perform any action the user has permission to perform.
+ ',
+ "impact": "
+ Microsoft Entra ID P1 or P2 is required.
+ This policy should be tested using the `Report-only mode` before implementation. Without a full and careful understanding of the accounts and personnel who require Device code authentication flow, implementing this policy can block authentication for users and devices who rely on Device code flow. For users and devices that rely on device code flow authentication, more secure alternatives should be implemented wherever possible.
+ ",
+ "remediation": {
+ "text": '
+ ',
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/conceptauthentication-flows#device-code-flow",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identitymanagement#im-7-restrict-resource-access-based-on--conditions",
+ "https://docs.microsoft.com/en-us/azure/active-directory/conditionalaccess/concept-conditional-access-report-only",
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policyauthentication-flows"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.2.3",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": "",
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+ },
+ "expandObject": ""
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that an exclusionary Device code flow policy is considered"
+ },
+ "properties": {
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_exclusionary_device_code_flow_cap_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-exclusionary-geograhic-cap-exists.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-exclusionary-geograhic-cap-exists.json
new file mode 100644
index 00000000..86f2b90f
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-exclusionary-geograhic-cap-exists.json
@@ -0,0 +1,155 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that an exclusionary Geographic Access Policy is considered",
+ "description": "
+ *CAUTION:* If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.
+ Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.
+ ",
+ "rationale": "
+ Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.
+ ",
+ "impact": "
+ Microsoft Entra ID P1 or P2 is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.
+ ",
+ "remediation": {
+ "text": '
+ First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the `Get-MgIdentityConditionalAccessNamedLocation` which outputs the `Location IDs` for use with conditional access policies.
+
+ ```PowerShell
+ $conditions = New-Object -TypeName
+ Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
+
+ $conditions.Applications = New-Object -TypeName
+ Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
+ $conditions.Applications.IncludeApplications = <"All" | "Office365" | "app
+ ID" | @("app ID 1", "app ID 2", etc...>
+ $conditions.Applications.ExcludeApplications = <"Office365" | "app ID" |
+ @("app ID 1", "app ID 2", etc...)>
+
+ $conditions.Users = New-Object -TypeName
+ Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
+ $conditions.Users.IncludeUsers = <"All" | "None" | "GuestsOrExternalUsers" |
+ "Specific User ID" | @("User ID 1", "User ID 2", etc.)>
+ $conditions.Users.ExcludeUsers = <"GuestsOrExternalUsers" | "Specific User
+ ID" | @("User ID 1", "User ID 2", etc.)>
+ $conditions.Users.IncludeGroups = <"group ID" | "All" | @("Group ID 1",
+ "Group ID 2", etc...)>
+ $conditions.Users.ExcludeGroups = <"group ID" | @("Group ID 1", "Group ID 2",
+ etc...)>
+ $conditions.Users.IncludeRoles = <"Role ID" | "All" | @("Role ID 1", "Role ID
+ 2", etc...)>
+ $conditions.Users.ExcludeRoles = <"Role ID" | @("Role ID 1", "Role ID 2",
+ etc...)>
+
+ $conditions.Locations = New-Object -TypeName
+ Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition
+ $conditions.Locations.IncludeLocations = <"Location ID" | @("Location ID 1",
+ "Location ID 2", etc...) >
+ $conditions.Locations.ExcludeLocations = <"AllTrusted" | "Location ID" |
+ @("Location ID 1", "Location ID 2", etc...)>
+
+
+ $controls = New-Object -TypeName
+ Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
+ $controls._Operator = "OR"
+ $controls.BuiltInControls = "block"
+ ```
+
+ Next, update the existing conditional access policy with the condition set options configured with the previous commands.
+
+ ```PowerShell
+ Update-MgIdentityConditionalAccessPolicy -PolicyId -Conditions $conditions -GrantControls $controls
+ ```
+
+ To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above
+
+ ```PowerShell
+ New-MgIdentityConditionalAccessPolicy -Name "Policy Name" -State -Conditions $conditions -GrantControls $controls
+ ```
+ ',
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location",
+ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.2.2",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "isManual": "true",
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "false"
+ },
+ "output": {
+ "html": {
+ "data": {
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": "",
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+ },
+ "expandObject": ""
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that an exclusionary Geographic Access Policy is considered"
+ },
+ "properties": {
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_exclusionary_geographic_cap_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-idle-session-exists.json b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-idle-session-exists.json
new file mode 100644
index 00000000..c84a987e
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-idle-session-exists.json
@@ -0,0 +1,128 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices",
+ "description": "
+ Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They have to select to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed by Intune MDM.
+ The following Microsoft 365 web apps are supported.
+ * Outlook Web App
+ * OneDrive for Business
+ * SharePoint Online (SPO)
+ * Office.com and other start pages
+ * Office (Word, Excel, PowerPoint) on the web
+ * Microsoft 365 Admin Center
+ *NOTE* : Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps. The recommended setting is 3 hours (or less) for unmanaged devices.
+ ",
+ "rationale": "Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult.",
+ "impact": "If step 2 in the Audit/Remediation procedure is left out then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue.",
+ "remediation": {
+ "text": '
+ ###### To configure Idle session timeout:
+ 1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/.
+ 2. Click to expand Settings Select Org settings.
+ 3. Click Security & Privacy tab.
+ 4. Select Idle session timeout.
+ 5. Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps
+ 6. Set a maximum value of 3 hours.
+ 7. Click save.
+
+ ###### Step 2 - Ensure the Conditional Access policy is in place:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
+ 2. Expand Protect > Conditional Access
+ 3. Click New policy and give the policy a name.
+ 4. Select Users > All users.
+ 5. Select Cloud apps or actions > Select apps and select Office 365
+ 6. Select Conditions > Client apps > Yes check only Browser unchecking all other boxes.
+ 7. Select Sessions and check Use app enforced restrictions.
+ 8. Set Enable policy to On and click Create.
+ *NOTE* : To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.
+ ',
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.1.0",
+ "reference": "1.3.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "false"
+ },
+ "output": {
+ "html": {
+ "data": {
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": "",
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+ },
+ "expandObject": ""
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that an exclusionary Geographic Access Policy is considered"
+ },
+ "properties": {
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_exclusionary_geographic_cap_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-trusted-location-enabled..json b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-trusted-location-enabled..json
new file mode 100644
index 00000000..095274fe
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.0/entra-trusted-location-enabled..json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure Trusted Locations Are Defined",
+ "description": "Microsoft Entra ID Conditional Access allows an organization to configure `Named locations` and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.",
+ "rationale": "Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges. ",
+ "impact": "
+ When configuring `Named locations`, the organization can create locations using geographical location data or by defining source IP addresses or ranges. Configuring `Named locations` using a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on those `Countries location` setting will not be able to use the All trusted locations setting within the Conditional Access policy. They instead will have to rely on the `Select locations` setting. This may add additional resource requirements when configuring and will require thorough organizational testing.
+ In general, Conditional Access policies may completely prevent users from authenticating to Microsoft Entra ID, and thorough testing is recommended. To avoid complete lockout, a 'Break Glass' account with full Global Administrator rights is recommended in the event all other administrators are locked out of authenticating to Microsoft Entra ID. This 'Break Glass' account should be excluded from Conditional Access Policies and should be configured with the longest pass phrase feasible in addition to a FIDO2 security key or certificate kept in a very secure physical location. This account should only be used in the event of an emergency and complete administrator lockout.
+ *NOTE:* Starting July 2024, Microsoft will begin requiring MFA for All Users - including Break Glass Accounts. By the end of October 2024, this requirement will be enforced. Physical FIDO2 security keys, or a certificate kept on secure removable storage can fulfill this MFA requirement. If opting for a physical device, that device should be kept in a very secure, documented physical location.
+ ",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+
+ 1. In the Azure Portal, navigate to `Microsoft Entra ID`
+ 2. Under `Manage`, click `Security`
+ 3. Under `Protect`, click `Conditional Access`
+ 4. Under `Manage`, click `Named locations`
+ 5. Within the `Named locations` blade, click on `IP ranges location`
+ 6. Enter a name for this location setting in the `Name` text box
+ 7. Click on the `+` sign
+ 8. Add an IP Address Range in CIDR notation inside the text box that appears
+ 9. Click on the `Add` button
+ 10. Repeat steps 7 through 9 for each IP Range that needs to be added
+ 11. If the information entered are trusted ranges, select the `Mark as trusted location` check box
+ 12. Once finished, click on `Create`
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions",
+ "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.2.1",
+ "profile": "Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": "",
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+ },
+ "expandObject": ""
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "",
+ "defaultMessage": "Ensure Trusted Locations Are Defined"
+ },
+ "properties": {
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_trusted_location_defined",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-admin-center-limited-high-privileged-users.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-admin-center-limited-high-privileged-users.json
new file mode 100644
index 00000000..d0603c78
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-admin-center-limited-high-privileged-users.json
@@ -0,0 +1,116 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Enable Azure AD Identity Protection sign-in risk policies",
+ "description": "
+ When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:
+ * Azure portal
+ * Exchange admin center
+ * Microsoft 365 admin center
+ * Microsoft 365 Defender portal
+ * Microsoft Entra admin center
+ * Microsoft Intune admin center
+ * Microsoft Purview compliance portal
+ * Power Platform admin center
+ * SharePoint admin center
+ * Microsoft Teams admin center
+ Microsoft Admin Portals should be restricted to specific pre-determined administrative roles.
+ ",
+ "rationale": "By default, users can sign into the various portals but are restricted by what they can view. Blocking sign-in to Microsoft Admin Portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities introduced by a CSP, as well as acting as a defense in depth measure against security breaches.",
+ "impact": "PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message `You don't have access to this Your sign-in was successful but you don't have permission to access this resource`.",
+ "remediation": {
+ "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.8",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "Ensure admin center access is limited to administrative roles",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_cap_admin_center_apps_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-cap-block-basic-authentication-not-enabled.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-block-legacy-authentication-not-enabled.json
similarity index 51%
rename from rules/findings/EntraId/Conditional Access/CIS1.5/aad-cap-block-basic-authentication-not-enabled.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-block-legacy-authentication-not-enabled.json
index 6d762363..fdc5622d 100644
--- a/rules/findings/EntraId/Conditional Access/CIS1.5/aad-cap-block-basic-authentication-not-enabled.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-block-legacy-authentication-not-enabled.json
@@ -1,14 +1,45 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Conditional Access",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Conditional Access Policy exists to block legacy authentication",
- "description": "Use Conditional Access to block legacy authentication protocols in Office 365.",
- "rationale": "Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.",
- "impact": "Enablig this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.\r\n\t\tThere is also an increased cost, as Conditional Access policies require Microsoft Entra ID Premium. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.",
+ "displayName": "Enable Conditional Access policies to block legacy authentication",
+ "description": "
+ Entra ID supports the most widely used authentication and authorization protocols including legacy authentication. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting username and password information. The following messaging protocols support legacy authentication:
+ * Authenticated SMTP - Used to send authenticated email messages.
+ * Autodiscover - Used by Outlook and EAS clients to find and connect to
+ mailboxes in Exchange Online.
+ * Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
+ * Exchange Online PowerShell - Used to connect to Exchange Online with remote
+ PowerShell. If you block Basic authentication for Exchange Online PowerShell,
+ you need to use the Exchange Online PowerShell Module to connect. For
+ instructions, see Connect to Exchange Online PowerShell using multifactor
+ authentication.
+ * Exchange Web Services (EWS) - A programming interface that's used by
+ Outlook, Outlook for Mac, and third-party apps.
+ * IMAP4 - Used by IMAP email clients.
+ * MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by
+ Outlook 2010 SP2 and later.
+ * Offline Address Book (OAB) - A copy of address list collections that are
+ downloaded and used by Outlook.
+ * Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol
+ supported by all current Outlook versions.
+ * POP3 - Used by POP email clients.
+ * Reporting Web Services - Used to retrieve report data in Exchange Online.
+ * Universal Outlook - Used by the Mail and Calendar app for Windows 10.
+ * Other clients - Other protocols identified as utilizing legacy authentication.
+ ",
+ "rationale": "
+ Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
+ **NOTE** : As of October 2022 Microsoft began disabling basic authentication in all tenants, except for those who requested special exceptions it should no longer be available in most tenants beyond Dec 31, 2022. Despite this CIS recommends the CA policy to remain in place to act as a defense in depth measure.
+ ",
+ "impact": "
+ Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.
+ This will also cause multifunction devices such as printers from using scan to e-mail function if they are using a legacy authentication method. Microsoft has mail flow best practices in the link below which can be used to configure a MFP to work with modern authentication:
+ https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365
+ ",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
"code": {
@@ -28,9 +59,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.1.6"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.3",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -105,7 +137,7 @@
"displayName": "Name",
"state": "Status",
"conditions.clientAppTypes": "Client App Types",
- "grantControls.operator": "Operator",
+ "grantControls.operator": "Operator",
"grantControls.builtInControls": "BuiltIn Controls"
},
"expandObject": null
@@ -119,13 +151,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -150,7 +184,7 @@
"onlyStatus": true
}
},
- "idSuffix": "aad_cap_block_basic_auth",
+ "idSuffix": "eid_cap_block_basic_auth",
"notes": [
],
@@ -158,3 +192,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-sign-in-risk-not-enabled.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-lack-sign-in-frequency-browser-persistent-session.json
similarity index 50%
rename from rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-sign-in-risk-not-enabled.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-lack-sign-in-frequency-browser-persistent-session.json
index b3938ddf..9ed8868d 100644
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-sign-in-risk-not-enabled.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-lack-sign-in-frequency-browser-persistent-session.json
@@ -1,14 +1,26 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Conditional Access",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Conditional Access Policy exists to block sign-ins categorized as high risk",
- "description": "Use Conditional Access to block sign-ins categorized as high risk.",
- "rationale": "Blocking high-risk users may prevent compromised accounts from accessing the tenant.",
- "impact": "",
+ "displayName": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users",
+ "description": "
+ In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:
+
+ * Resource access from an unmanaged or shared device
+ * Access to sensitive information from an external network
+ * High-privileged users
+ * Business-critical applications
+
+ Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management. Ensure Persistent browser session is set to Never persist
+ ",
+ "rationale": "
+ Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.",
+ "impact": "
+ Users with Administrative roles will be prompted at the frequency set for MFA.
+ ",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
"code": {
@@ -24,70 +36,28 @@
"https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
- "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions",
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime"
],
"compliance": [
- "Monkey365"
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.4",
+ "profile": "E3 Level 1"
+ }
],
"level": "medium",
"tags": [
],
"rule": {
- "path": "aad_conditional_access_policy",
+ "path": "",
"subPath": null,
"selectCondition": {
},
"query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "state",
- "eq",
- "true"
- ],
- [
- "conditions.users.includeUsers",
- "eq",
- "All"
- ],
- [
- "conditions.applications.includeApplications",
- "eq",
- "All"
- ]
- ],
- "operator": "and"
- },
- {
- "conditions": [
- [
- "conditions.signInRiskLevels",
- "match",
- "high"
- ]
- ]
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "grantControls.builtInControls",
- "eq",
- "block"
- ]
- ]
- }
- ]
- }
],
"shouldExist": "true",
"returnObject": null,
@@ -96,18 +66,9 @@
"output": {
"html": {
"data": {
- "properties": {
- "displayName": "Name",
- "state": "Status",
- "conditions.applications.includeApplications": "Applications",
- "conditions.users.includeUsers": "Users",
- "conditions.signInRiskLevels": "SignIn Risk Levels",
- "grantControls.operator": "Operator",
- "grantControls.builtInControls": "BuiltIn Controls"
- },
"expandObject": null
},
- "table": null,
+ "table": "Normal",
"decorate": [
],
@@ -116,13 +77,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
- "showGoToButton": false,
- "showModalButton": false
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -134,20 +97,19 @@
},
"status": {
"keyName": [
- "displayName"
],
- "message": "The {displayName} policy is not configured to sign-Ins categorized as high risk",
+ "message": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users",
"defaultMessage": null
},
"properties": {
"resourceName": "displayName",
- "resourceId": "id",
+ "resourceId": "Id",
"resourceType": "@odata.context"
},
"onlyStatus": true
}
},
- "idSuffix": "aad_cap_block_signIn_risk",
+ "idSuffix": "eid_cap_sign_in_frequency_missing_policy",
"notes": [
],
@@ -155,3 +117,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-sign-in-risk-policy-require-mfa.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-sign-in-risk-policy-require-mfa.json
new file mode 100644
index 00000000..9fe22ec6
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-sign-in-risk-policy-require-mfa.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Enable Azure AD Identity Protection sign-in risk policies",
+ "description": "
+ Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
+ **Note** : While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the `legacy method` for the following benefits:
+ * Enhanced diagnostic data
+ * Report-only mode integration
+ * Graph API support
+ * Use more Conditional Access attributes like sign-in frequency in the policy
+ ",
+ "rationale": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
+ "impact": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
+ "remediation": {
+ "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback",
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.7",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "Enable Entra ID Identity Protection sign-in risk policies",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_cap_sign_in_risk_policy",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-user-risk-policy-require-password-change.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-user-risk-policy-require-password-change.json
new file mode 100644
index 00000000..47d3b71e
--- /dev/null
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-cap-user-risk-policy-require-password-change.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Enable Entra ID Identity Protection user risk policies",
+ "description": "
+ Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised.
+ **Note** : While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the `legacy method` for the following benefits:
+ * Enhanced diagnostic data
+ * Report-only mode integration
+ * Graph API support
+ * Use more Conditional Access attributes like sign-in frequency in the policy
+ ",
+ "rationale": "With the user risk policy turned on, Entra ID protection detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.",
+ "impact": "Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy. Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organization's environment, the list of Risky Users should be reviewed before enforcing the policy.",
+ "remediation": {
+ "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback",
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.6",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "Enable Entra ID Identity Protection user risk policies",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_cap_user_risk_policy",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json
similarity index 94%
rename from rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json
rename to rules/findings/EntraID/Conditinal Access/CIS3.1/eid-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json
index 27c6e4a7..309baba6 100644
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json
+++ b/rules/findings/EntraID/Conditinal Access/CIS3.1/eid-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -28,8 +28,10 @@
],
"compliance": [
{
- "name": "Monkey365",
- "version": "0.91.3"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.2.5",
+ "profile": "E3 Level 2"
}
],
"level": "medium",
@@ -117,13 +119,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -156,3 +160,4 @@
]
}
+
diff --git a/rules/findings/EntraId/General/CIS1.4/aad-linkedin-sync-enabled.json b/rules/findings/EntraID/General/CIS3.0/eid-linkedin-sync-enabled.json
similarity index 56%
rename from rules/findings/EntraId/General/CIS1.4/aad-linkedin-sync-enabled.json
rename to rules/findings/EntraID/General/CIS3.0/eid-linkedin-sync-enabled.json
index 852d084b..60b20586 100644
--- a/rules/findings/EntraId/General/CIS1.4/aad-linkedin-sync-enabled.json
+++ b/rules/findings/EntraID/General/CIS3.0/eid-linkedin-sync-enabled.json
@@ -1,16 +1,22 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that LinkedIn contact synchronization is disabled",
- "description": "Consider to disable integration with LinkedIn as a measure to help prevent phishing scams.",
- "rationale": null,
- "impact": null,
+ "displayName": "Ensure 'LinkedIn account connections' is disabled",
+ "description": "LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services.",
+ "rationale": "Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information.",
+ "impact": "Users will not be able to sync contacts or use LinkedIn integration.",
"remediation": {
- "text": null,
+ "text": "
+ ###### To disable LinkedIn account connections:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Identity > Users select User settings.
+ 3. Under LinkedIn account connections select No.
+ 4. Click Save.
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -20,17 +26,18 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/"
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration",
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-user-consent"
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.14"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.2.6",
+ "profile": "E3 Level 2"
}
],
- "level": "medium",
+ "level": "info",
"tags": [
],
@@ -78,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -107,7 +118,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_linkedin_sync_enabled",
+ "idSuffix": "eid_linkedin_sync_enabled",
"notes": [
],
@@ -115,3 +126,4 @@
]
}
+
diff --git a/rules/findings/EntraId/General/CIS2.0/non-admin-users-allowedto-create-tenants.json b/rules/findings/EntraID/General/CIS3.0/eid-non-admin-users-allowedto-create-tenants.json
similarity index 54%
rename from rules/findings/EntraId/General/CIS2.0/non-admin-users-allowedto-create-tenants.json
rename to rules/findings/EntraID/General/CIS3.0/eid-non-admin-users-allowedto-create-tenants.json
index 1db82a28..878a96ba 100644
--- a/rules/findings/EntraId/General/CIS2.0/non-admin-users-allowedto-create-tenants.json
+++ b/rules/findings/EntraID/General/CIS3.0/eid-non-admin-users-allowedto-create-tenants.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure \u0027Restrict non-admin users from creating tenants\u0027 is set to \u0027Yes\u0027",
- "description": "Non-privileged users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn\u0027t inherit any settings or configurations.",
- "rationale": "Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization\u0027s data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization\u0027s security team.",
- "impact": null,
+ "displayName": "Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'",
+ "description": "Require administrators or appropriately delegated users to create new tenants.",
+ "rationale": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.",
+ "impact": "Enforcing this setting will ensure that only authorized users are able to create new tenants.",
"remediation": {
"text": null,
"code": {
@@ -20,14 +20,15 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/"
+ "https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator",
+ "https://blog.admindroid.com/disable-users-creating-new-azure-ad-tenants-in-microsoft-365/"
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.22"
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.3"
}
],
"level": "medium",
@@ -55,6 +56,7 @@
]
}
],
+ "isManual":"false",
"shouldExist": null,
"returnObject": null,
"removeIfNotExists": null
@@ -76,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -107,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_non_admin_allowed_tenant_creation",
+ "idSuffix": "eid_non_admin_allowed_tenant_creation",
"notes": [
],
@@ -115,3 +119,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Devices/CIS1.4/azure-activedirectory-devices-require-mfa-settings.json b/rules/findings/EntraID/General/CIS3.0/eid-register-or-joined-devices-require-mfa-settings.json
similarity index 76%
rename from rules/findings/EntraId/Devices/CIS1.4/azure-activedirectory-devices-require-mfa-settings.json
rename to rules/findings/EntraID/General/CIS3.0/eid-register-or-joined-devices-require-mfa-settings.json
index a4851caa..d5577f4d 100644
--- a/rules/findings/EntraId/Devices/CIS1.4/azure-activedirectory-devices-require-mfa-settings.json
+++ b/rules/findings/EntraID/General/CIS3.0/eid-register-or-joined-devices-require-mfa-settings.json
@@ -1,14 +1,17 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Joining devices to the active directory should require Multi-factor authentication",
- "description": "Multi-factor authentication is recommended when adding devices to Microsoft Entra ID. When set to \"Yes\", users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account",
+ "displayName": "Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'",
+ "description": "
+ *NOTE:* This recommendation is only relevant if your subscription is using Per-User MFA. If your organization is licensed to use Conditional Access, the preferred method of requiring MFA to join devices to Entra ID is to use a Conditional Access policy (see additional information below for link).
+ Joining or registering devices to Microsoft Entra ID should require multi-factor authentication.
+ ",
"rationale": "Multi-factor authentication is recommended when adding devices to Microsoft Entra ID. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account.",
- "impact": null,
+ "impact": "A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Devices`\r\n\t\t\t\t\t3. Go to `Device settings`\r\n\t\t\t\t\t4. Ensure that `Require Multi-Factor Auth to join devices` is set to `Yes`",
"code": {
@@ -28,8 +31,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.19"
+ "version": "3.0.0",
+ "reference": "2.22",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -80,11 +84,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -109,7 +117,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_mfa_devices_disabled",
+ "idSuffix": "eid_mfa_devices_disabled",
"notes": [
],
@@ -117,3 +125,4 @@
]
}
+
diff --git a/rules/findings/EntraId/General/CIS1.4/azure-activedirectory-restrict-users-ad-portal.json b/rules/findings/EntraID/General/CIS3.0/eid-restrict-users-entra-portal.json
similarity index 67%
rename from rules/findings/EntraId/General/CIS1.4/azure-activedirectory-restrict-users-ad-portal.json
rename to rules/findings/EntraID/General/CIS3.0/eid-restrict-users-entra-portal.json
index b8b5a57d..384a0793 100644
--- a/rules/findings/EntraId/General/CIS1.4/azure-activedirectory-restrict-users-ad-portal.json
+++ b/rules/findings/EntraID/General/CIS3.0/eid-restrict-users-entra-portal.json
@@ -1,16 +1,26 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "General",
"serviceName": "Microsoft Entra ID",
- "displayName": "Restrict access to the Microsoft Entra ID administration portal to administrators only",
- "description": "Consider to prevent that regular users users can access to Microsoft Entra ID portal. By default, any user under Microsoft Entra ID can access to the Microsoft Entra ID portal event if they are not assigned to an administrator role.",
- "rationale": "The Microsoft Entra ID administrative portal has sensitive data. All non-administrators should be prohibited from accessing any Microsoft Entra ID data in the administration portal to avoid exposure.",
- "impact": null,
+ "displayName": "Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'",
+ "description": "
+ Restrict access to the Microsoft Entra ID administration center to administrators only.
+ *NOTE:* This only affects access to the Entra ID administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Microsoft Entra ID.
+ ",
+ "rationale": "The Microsoft Entra ID administrative center has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Microsoft Entra ID data in the administration center to avoid exposure.",
+ "impact": "All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources.",
"remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t4. Ensure that `Restrict access to Microsoft Entra ID administration portal` is set to `Yes`",
+ "text": "###### From Azure Console
+ 1. From Azure Home select the Portal Menu
+ 2. Select Microsoft Entra ID
+ 3. Under Manage, select Users
+ 4. Under Manage, select User settings
+ 5. Under Administration centre, set Restrict access to Microsoft Entra admin center to Yes
+ 6. Click Save
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -31,8 +41,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.14"
+ "version": "3.0.0",
+ "reference": "2.17",
+ "profile": "Level 1"
}
],
"level": "medium",
@@ -84,11 +95,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -113,7 +128,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_restrict_users_ad_portal",
+ "idSuffix": "eid_restrict_users_ad_portal",
"notes": [
],
@@ -121,3 +136,4 @@
]
}
+
diff --git a/rules/findings/EntraId/General/CIS1.4/aad-password-hash-sync-disabled.json b/rules/findings/EntraID/General/CIS3.1/eid-password-hash-sync-disabled.json
similarity index 92%
rename from rules/findings/EntraId/General/CIS1.4/aad-password-hash-sync-disabled.json
rename to rules/findings/EntraID/General/CIS3.1/eid-password-hash-sync-disabled.json
index 5a61b12e..b2027ec1 100644
--- a/rules/findings/EntraId/General/CIS1.4/aad-password-hash-sync-disabled.json
+++ b/rules/findings/EntraID/General/CIS3.1/eid-password-hash-sync-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -24,9 +24,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.7"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.8.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -86,13 +87,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -117,7 +120,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_hash_sync_disabled",
+ "idSuffix": "eid_hash_sync_disabled",
"notes": [
],
@@ -125,3 +128,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-owners-can-manage-group-membership-enabled.json b/rules/findings/EntraID/Groups/CIS3.0/eid-owners-can-manage-group-membership-enabled.json
similarity index 90%
rename from rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-owners-can-manage-group-membership-enabled.json
rename to rules/findings/EntraID/Groups/CIS3.0/eid-owners-can-manage-group-membership-enabled.json
index c6bde2b9..122c8c2a 100644
--- a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-owners-can-manage-group-membership-enabled.json
+++ b/rules/findings/EntraID/Groups/CIS3.0/eid-owners-can-manage-group-membership-enabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Groups",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Owners can manage group membership requests in the Access Panel\u0027 is set to \u0027No\u0027",
+ "displayName": "Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'",
"description": "Consider to prevent that regular users can manage security groups.",
"rationale": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.",
"impact": null,
@@ -30,8 +30,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.17"
+ "version": "3.0.0",
+ "reference": "2.20",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -80,13 +81,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -111,7 +114,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_security_group_management_not_restricted",
+ "idSuffix": "eid_security_group_management_not_restricted",
"notes": [
],
@@ -119,3 +122,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Groups/CIS1.5/azure-ad-group-features-disabled.json b/rules/findings/EntraID/Groups/CIS3.0/eid-user-ability-to access-group-features-disabled.json
similarity index 70%
rename from rules/findings/EntraId/Groups/CIS1.5/azure-ad-group-features-disabled.json
rename to rules/findings/EntraID/Groups/CIS3.0/eid-user-ability-to access-group-features-disabled.json
index 3fd7c196..9189fcdc 100644
--- a/rules/findings/EntraId/Groups/CIS1.5/azure-ad-group-features-disabled.json
+++ b/rules/findings/EntraID/Groups/CIS3.0/eid-user-ability-to access-group-features-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Groups",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Restrict user ability to access groups features in the Access Pane\u0027 is Set to \u0027Yes\u0027",
- "description": "Restricts group creation to administrators with permissions only.",
- "rationale": "Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID (Azure Active Directory). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.",
+ "displayName": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'",
+ "description": "Restrict access to group web interface in the Access Panel portal.",
+ "rationale": "Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID. Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled. Any user can access the Access Panel, where they can reset their passwords, view their information, etc. By default, users are also allowed to access the Group feature, which shows groups, members, related resources (SharePoint URL, Group email address, Yammer URL, and Teams URL). By setting this feature to 'Yes', users will no longer have access to the web interface, but still have access to the data using the API. This is useful to prevent non-technical users from enumerating groups-related information, but technical users will still be able to access this information using APIs.",
"impact": "Setting to `Yes` could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Groups`\r\n\t\t\t\t\t3. Go to `General`\r\n\t\t\t\t\t4. Ensure that `Restrict user ability to access groups features in the Access Pane` is set to `Yes`",
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.18"
+ "version": "3.0.0",
+ "reference": "2.18",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -77,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -108,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_group_features_enabled",
+ "idSuffix": "eid_group_features_enabled",
"notes": [
],
@@ -116,3 +119,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-o365-groups.json b/rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-m365-groups.json
similarity index 85%
rename from rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-o365-groups.json
rename to rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-m365-groups.json
index 4cd1eaf7..be10e499 100644
--- a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-o365-groups.json
+++ b/rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-m365-groups.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Groups",
"serviceName": "Microsoft Entra ID",
- "displayName": "Restrict Office 365 group creation to administrators only",
- "description": "Consider to limit that regular users the ability to create Office365 groups. When this settings is enabled, all users in the Azure directory are allowed to create new Office365 groupd and add members to these groups.",
+ "displayName": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'",
+ "description": "Consider to limit that regular users the ability to create Microsoft 365 groups. When this settings is enabled, all users in the Microsoft Entra ID are allowed to create new Microsoft 365 groupd and add members to these groups.",
"rationale": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other use.",
"impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.",
"remediation": {
@@ -33,8 +33,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.18"
+ "version": "3.0.0",
+ "reference": "2.21",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -80,7 +81,7 @@
"displayName": "Display Name",
"usersCanRegisterApps": "Users can register apps",
"restrictNonAdminUsers": "Restrict non-admin users",
- "office365GroupsEnabled": "Office 365 group enabled"
+ "office365GroupsEnabled": "Microsoft 365 group enabled"
},
"expandObject": null
},
@@ -89,15 +90,19 @@
],
"emphasis": [
- "Office 365 group enabled"
+ "Microsoft 365 group enabled"
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -122,7 +127,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_restrict_o365_group_creation_admins",
+ "idSuffix": "eid_restrict_m365_group_creation_admins",
"notes": [
],
@@ -130,3 +135,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Groups/CIS1.5/azure-ad-users-can-create-security-groups.json b/rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-security-groups.json
similarity index 87%
rename from rules/findings/EntraId/Groups/CIS1.5/azure-ad-users-can-create-security-groups.json
rename to rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-security-groups.json
index 25b8abb4..c0f24445 100644
--- a/rules/findings/EntraId/Groups/CIS1.5/azure-ad-users-can-create-security-groups.json
+++ b/rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-security-groups.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Groups",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Users can create security groups in Azure portals, API or PowerShell\u0027 is set to \u0027No\u0027",
- "description": "Consider to prevent that regular users can create security groups. When this settings is enabled, all users in the Azure directory are allowed to create new security groups and add members to these groups.",
+ "displayName": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'",
+ "description": "Restrict security group creation to administrators only.",
"rationale": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.",
"impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.",
"remediation": {
@@ -32,8 +32,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.19"
+ "version": "3.0.0",
+ "reference": "2.19",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -84,11 +85,15 @@
],
"actions": {
"objectData": {
- "expand": null,
+ "properties": [
+
+ ],
+ "expandObject": null,
"limit": null
},
"showGoToButton": null,
- "showModalButton": null
+ "showModalButton": null,
+ "directLink": null
}
},
"text": {
@@ -113,7 +118,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_restrict_security_group_creation_admins",
+ "idSuffix": "eid_restrict_security_group_creation_admins",
"notes": [
],
@@ -121,3 +126,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Groups/CIS3.1/eid-dynamic-group-for-guest-users-not-present.json b/rules/findings/EntraID/Groups/CIS3.1/eid-dynamic-group-for-guest-users-not-present.json
new file mode 100644
index 00000000..45a13bea
--- /dev/null
+++ b/rules/findings/EntraID/Groups/CIS3.1/eid-dynamic-group-for-guest-users-not-present.json
@@ -0,0 +1,104 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Groups",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure a dynamic group for guest users is created",
+ "description": "A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. The recommended state is to create a dynamic group that includes guest accounts.",
+ "rationale": "Dynamic groups allow for an automated method to assign group membership. Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.",
+ "impact": null,
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule",
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership",
+ "https://learn.microsoft.com/en-us/azure/active-directory/external-identities/use-dynamic-groups"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.3.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure a dynamic group for guest users is created",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_dynamic_group_for_guests_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Groups/CIS3.1/eid-public-group-detected.json b/rules/findings/EntraID/Groups/CIS3.1/eid-public-group-detected.json
new file mode 100644
index 00000000..0bab1adc
--- /dev/null
+++ b/rules/findings/EntraID/Groups/CIS3.1/eid-public-group-detected.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Groups",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that only organizationally managed/approved public groups exist",
+ "description": "
+ Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns *Microsoft 365 Groups*.
+ In the Administration panel, when a group is created, the default privacy value is `Public`.
+ ",
+ "rationale": "
+ Ensure that only organizationally managed and approved public groups exist. When a group has a `public` privacy, users may access data related to this group (e.g. SharePoint), through three methods:
+ * By using the Azure portal, and adding themselves into the public group
+ * By requesting access to the group from the Group application of the Access Panel
+ * By accessing the SharePoint URL
+ Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediate access to the group. The SharePoint URL is usually guessable and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access. Note: Public in this case means public to the identities within the organization.
+ ",
+ "impact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management",
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.1.0",
+ "reference": "1.2.1",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "true"
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Guest Users are reviewed at least biweekly",
+ "defaultMessage": "Ensure Guest Users are reviewed at least biweekly"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_lack_emergency_account",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Guest/CIS3.0/eid-ensure-guest-users-are-reviewed.json b/rules/findings/EntraID/Guest/CIS3.0/eid-ensure-guest-users-are-reviewed.json
new file mode 100644
index 00000000..74977695
--- /dev/null
+++ b/rules/findings/EntraID/Guest/CIS3.0/eid-ensure-guest-users-are-reviewed.json
@@ -0,0 +1,124 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "General",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure Guest Users Are Reviewed on a Regular Basis",
+ "description": "Microsoft Entra ID has native and extended identity functionality allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities",
+ "rationale": "Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.",
+ "impact": "Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if an account is removed without careful consideration.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/external-id/user-properties",
+ "https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-4-review-and-reconcile-user-access-regularly",
+ "https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing",
+ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-manage-inactive-user-accounts",
+ "https://learn.microsoft.com/en-us/entra/fundamentals/users-restore"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.4"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "aad_domain_users",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "userType",
+ "ne",
+ "Member"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": "Ensure Guest Users Are Reviewed on a Regular Basis"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_guest_users_present",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-invite-restriction-disabled.json b/rules/findings/EntraID/Guest/CIS3.0/eid-guest-invite-restriction-disabled.json
similarity index 91%
rename from rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-invite-restriction-disabled.json
rename to rules/findings/EntraID/Guest/CIS3.0/eid-guest-invite-restriction-disabled.json
index 9ad62e5e..09477bf8 100644
--- a/rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-invite-restriction-disabled.json
+++ b/rules/findings/EntraID/Guest/CIS3.0/eid-guest-invite-restriction-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Users",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Guest invite restrictions\u0027 is set to \u0027Only users assigned to specific admin roles can invite guest users\u0027",
+ "displayName": "Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'",
"description": "Restrict invitations to users with specific administrative roles only.",
"rationale": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain \"Need to Know\" permissions and prevents inadvertent access to data.\r\n\t\t\t\t\r\n\t\t\t\tBy default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.",
"impact": "With the option of `Only users assigned to specific admin roles can invite guest users` selected, users with specific admin roles will be in charge of sending invitations to the Azure Workspace, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users, and manually removing access from users who no longer need it.",
@@ -28,8 +28,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.16"
+ "version": "3.0.0",
+ "reference": "2.16",
+ "profile":"Level 2"
}
],
"level": "medium",
@@ -80,13 +81,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "False",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -111,7 +114,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_guest_invite_all_enabled",
+ "idSuffix": "eid_guest_invite_all_enabled",
"notes": [
],
@@ -119,3 +122,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-object-restriction-disabled.json b/rules/findings/EntraID/Guest/CIS3.0/eid-guest-object-restriction-disabled.json
similarity index 90%
rename from rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-object-restriction-disabled.json
rename to rules/findings/EntraID/Guest/CIS3.0/eid-guest-object-restriction-disabled.json
index a10c0383..746ce153 100644
--- a/rules/findings/EntraId/Users/CIS1.5/azure-ad-guest-object-restriction-disabled.json
+++ b/rules/findings/EntraID/Guest/CIS3.0/eid-guest-object-restriction-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Users",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure That \u0027Guest users access restrictions\u0027 is set to \u0027Guest user access is restricted to properties and memberships of their own directory objects\u0027",
+ "displayName": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'",
"description": "Limit guest user permissions.",
"rationale": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.\r\n\t\t\t\t\r\n\t\t1. Guest users have the same access as members (most inclusive)\r\n\t\t2. Guest users have limited access to properties and memberships of directory objects (default value)\r\n\t\t3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)\r\n\t\t\r\n\t\tThe recommended option is the 3rd, most restrictive: `Guest user access is restricted to their own directory object`.",
"impact": "This may create additional requests for permissions to access resources that administrators will need to approve.",
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.15"
+ "version": "3.0.0",
+ "reference": "2.15",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -81,13 +82,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "False",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -112,7 +115,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_guest_access_object_restriction_disabled",
+ "idSuffix": "eid_guest_access_object_restriction_disabled",
"notes": [
],
@@ -120,3 +123,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Guest/CIS3.1/eid-access-reviews-for-guest-users-are-configured.json b/rules/findings/EntraID/Guest/CIS3.1/eid-access-reviews-for-guest-users-are-configured.json
new file mode 100644
index 00000000..f9db0dbc
--- /dev/null
+++ b/rules/findings/EntraID/Guest/CIS3.1/eid-access-reviews-for-guest-users-are-configured.json
@@ -0,0 +1,108 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Users",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Access reviews' for Guest Users are configured",
+ "description": "Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly.",
+ "rationale": "Access to groups and applications for guests can change over time. If a guest user's access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.",
+ "impact": "Access reviews that are ignored may cause guest users to lose access to resources temporarily.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review",
+ "https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.3.2",
+ "profile": "E5 Level 2"
+ }
+ ],
+ "level": "low",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Access reviews' for Guest Users are configured",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_guest_access_review_not_present",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Guest/CIS3.1/eid-ensure-guest-users-are-reviewed.json b/rules/findings/EntraID/Guest/CIS3.1/eid-ensure-guest-users-are-reviewed.json
new file mode 100644
index 00000000..897c5130
--- /dev/null
+++ b/rules/findings/EntraID/Guest/CIS3.1/eid-ensure-guest-users-are-reviewed.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Users",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure Guest Users are reviewed at least biweekly",
+ "description": "
+ Guest users can be set up for those users not in the organization to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant.
+ Ensure Guest Users are reviewed no less frequently than biweekly.
+ *Note* : With the E5 license an access review can be configured to review guest accounts automatically on a reoccurring basis. This is the preferred method if the licensing is available.
+ ",
+ "rationale": "Periodic review of guest users ensures proper access to resources.",
+ "impact": null,
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.1.0",
+ "reference": "1.1.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "true"
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Guest Users are reviewed at least biweekly",
+ "defaultMessage": "Ensure Guest Users are reviewed at least biweekly"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_lack_emergency_account",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-excessive-global-admins.json b/rules/findings/EntraID/IAM/CIS3.0/eid-iam-excessive-global-admins.json
similarity index 59%
rename from rules/findings/EntraId/IAM/CIS1.4/aad-iam-excessive-global-admins.json
rename to rules/findings/EntraID/IAM/CIS3.0/eid-iam-excessive-global-admins.json
index 93a360d7..5f36e486 100644
--- a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-excessive-global-admins.json
+++ b/rules/findings/EntraID/IAM/CIS3.0/eid-iam-excessive-global-admins.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Microsoft Entra ID Identity",
"serviceName": "IAM",
- "displayName": "Excessive number of Global Administrators",
- "description": "The total number of Global Administrators was higher than recommended. A tenancy should have more than two but fewer than five Global Administrators. Having an excessive number of Global Administrators has an increased risk that one of those accounts will be successfully breached by an external attacker.",
- "rationale": "If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.",
- "impact": "The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.",
+ "displayName": "Ensure fewer than _ARG_0_ users have global administrator assignment",
+ "description": "This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.",
+ "rationale": "The Global Administrator role has extensive privileges across all services in Microsoft Entra ID. The Global Administrator role should never be used in regular daily activities; administrators should have a regular user account for daily activities, and a separate account for administrative responsibilities. Limiting the number of Global Administrators helps mitigate the risk of unauthorized access, reduces the potential impact of human error, and aligns with the principle of least privilege to reduce the attack surface of an Azure tenant. Conversely, having at least two Global Administrators ensures that administrative functions can be performed without interruption in case of unavailability of a single admin.",
+ "impact": "Implementing this recommendation may require changes in administrative workflows or the redistribution of roles and responsibilities. Adequate training and awareness should be provided to all Global Administrators.",
"remediation": {
"text": null,
"code": {
@@ -27,8 +27,9 @@
"compliance": [
{
"name": "CIS Microsoft Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.3"
+ "version": "3.0.0",
+ "reference": "2.2.6",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -86,13 +87,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": "effectiveMembers",
"limit": null
},
"showGoToButton": "False",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -117,7 +120,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_excessive_global_admins",
+ "idSuffix": "eid_excessive_global_admins",
"notes": [
],
@@ -125,3 +128,4 @@
]
}
+
diff --git a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-disabled-mfa.json b/rules/findings/EntraID/IAM/CIS3.0/entra-iam-privileged-users-disabled-mfa.json
similarity index 66%
rename from rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-disabled-mfa.json
rename to rules/findings/EntraID/IAM/CIS3.0/entra-iam-privileged-users-disabled-mfa.json
index 591a11e0..9385ef51 100644
--- a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-disabled-mfa.json
+++ b/rules/findings/EntraID/IAM/CIS3.0/entra-iam-privileged-users-disabled-mfa.json
@@ -1,16 +1,36 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Microsoft Entra ID Identity",
"serviceName": "IAM",
- "displayName": "Ensure that multi-factor authentication is enabled for all privileged users",
- "description": "Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like:\r\n\t\t\t\t\t\r\n\t\t\t\t\t* Service Co-Administrators\r\n\t\t\t\t\t* Subscription Owners\r\n\t\t\t\t\t* Contributors",
+ "displayName": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users",
+ "description": "
+ ###### IMPORTANT - Please read the section overview
+ If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
+ Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;
+ * Service Co-Administrators
+ * Subscription Owners
+ * Contributors
+ ",
"rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
- "impact": "Users would require two forms of authentication before any action is granted. Also, this requires an overhead for managing dual forms of authentication.",
+ "impact": "Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication.",
"remediation": {
- "text": "Follow Microsoft Azure documentation and setup multi-factor authentication in your environment.\r\n\t\t\t\t\t\u003ca class=\u0027external-link\u0027 href=\u0027https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa\u0027 target=\u0027_blank\u0027\u003eSecure user sign-in events with Microsoft Entra ID Multi-Factor Authentication\u003c/a\u003e",
+ "text": "
+ ###### Remediate from Azure Portal
+
+ 1. From Azure Home select the Portal Menu
+ 2. Select `Microsoft Entra ID` blade
+ 3. Under `Manage`, click `Roles and administrators`
+ 4. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors`
+ 5. Return to the `Overview`
+ 6. Under `Manage`, click `Users`
+ 7. Click on the `Per-User MFA` button in the top row menu
+ 8. Check the box next to each noted user
+ 9. Click `Enable MFA`
+ 10. Click `Enable`
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -27,8 +47,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.1.1"
+ "version": "3.0.0",
+ "reference": "2.1.2",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -101,13 +122,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": "effectiveMembers",
"limit": null
},
"showGoToButton": "False",
- "showModalButton": "False"
+ "showModalButton": "False",
+ "directLink": null
}
},
"text": {
@@ -123,8 +146,8 @@
"keyName": [
"UPN"
],
- "message": "MFA is not enabled for {UPN}",
- "defaultMessage": "Ensure that multi-factor authentication is enabled for all privileged users"
+ "message": "MFA is not enabled for {UPN}",
+ "defaultMessage": "Ensure that multi-factor authentication is enabled for all privileged users"
},
"properties": {
"resourceName": "UPN",
@@ -142,3 +165,4 @@
]
}
+
diff --git a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-users-disabled-mfa.json b/rules/findings/EntraID/IAM/CIS3.0/entra-iam-users-disabled-mfa.json
similarity index 74%
rename from rules/findings/EntraId/IAM/CIS1.4/aad-iam-users-disabled-mfa.json
rename to rules/findings/EntraID/IAM/CIS3.0/entra-iam-users-disabled-mfa.json
index 550f064e..1dc6a3ac 100644
--- a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-users-disabled-mfa.json
+++ b/rules/findings/EntraID/IAM/CIS3.0/entra-iam-users-disabled-mfa.json
@@ -1,16 +1,27 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Microsoft Entra ID Identity",
"serviceName": "IAM",
- "displayName": "Ensure that multi-factor authentication is enabled for all non privileged users",
- "description": "Enable multi-factor authentication for all non-privileged users.",
+ "displayName": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users",
+ "description": "
+ ###### IMPORTANT - Please read the section overview:
+ If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
Enable multi-factor authentication for all non-privileged users.",
"rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
- "impact": "Users would require two forms of authentication before any action is granted. Also, this requires an overhead for managing dual forms of authentication.",
+ "impact": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.",
"remediation": {
- "text": "Follow Microsoft Azure documentation and setup multi-factor authentication in your environment.\r\n\t\t\t\t\t\u003ca class=\u0027external-link\u0027 href=\u0027https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa\u0027 target=\u0027_blank\u0027\u003eSecure user sign-in events with Microsoft Entra ID Multi-Factor Authentication\u003c/a\u003e",
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. From Azure Home select the Portal Menu
+ 2. Select `Microsoft Entra ID` blade
+ 3. Under `Manage`, click `Users`
+ 4. Click on the `Per-User MFA` button in the top row menu
+ 5. Check the box next to each user
+ 6. Click `Enable MFA`
+ 7. Click `Enable`
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -28,8 +39,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.1.2"
+ "version": "3.0.0",
+ "reference": "2.1.3",
+ "profile": "Level 2"
}
],
"level": "medium",
@@ -87,13 +99,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "False",
- "showModalButton": "False"
+ "showModalButton": "False",
+ "directLink": null
}
},
"text": {
@@ -126,3 +140,4 @@
]
}
+
diff --git a/rules/findings/EntraID/IAM/CIS3.1/eid-emergency-accounts.json b/rules/findings/EntraID/IAM/CIS3.1/eid-emergency-accounts.json
new file mode 100644
index 00000000..bea7b841
--- /dev/null
+++ b/rules/findings/EntraID/IAM/CIS3.1/eid-emergency-accounts.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Microsoft Entra ID Identity",
+ "serviceName": "IAM",
+ "displayName": "Ensure two emergency access accounts have been defined",
+ "description": "
+ Emergency access or `break glass` accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including:
+ * Technical failures of a cellular provider or Microsoft related service such as MFA.
+ * The last remaining Global Administrator account is inaccessible.
+
+ Ensure two Emergency Access accounts have been defined.
+ *Note*: Microsoft provides several recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider.
+ ",
+ "rationale": "In various situations, an organization may require the use of a break glass account to gain emergency access. In the event of losing access to administrative functions, an organization may experience a significant loss in its ability to provide support, lose insight into its security posture, and potentially suffer financial losses.",
+ "impact": "If care is not taken in properly implementing an emergency access account this could weaken security posture. Microsoft recommends to exclude at least one of these accounts from all conditional access rules therefore passwords must have sufficient entropy and length to protect against random guesses. FIDO2 security keys may be used instead of a password for secure passwordless solution.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning#stage-1-critical-items-to-do-right-now",
+ "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.1.0",
+ "reference": "1.1.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "true"
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Emergency account was not found",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_lack_emergency_account",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/IAM/CIS3.1/eid-high-privileged-roles-access-reviews-not-configured.json b/rules/findings/EntraID/IAM/CIS3.1/eid-high-privileged-roles-access-reviews-not-configured.json
new file mode 100644
index 00000000..31e09dda
--- /dev/null
+++ b/rules/findings/EntraID/IAM/CIS3.1/eid-high-privileged-roles-access-reviews-not-configured.json
@@ -0,0 +1,118 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Users",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Access reviews' for high privileged Entra ID roles are configured",
+ "description": "
+ Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for high privileged Entra ID roles are done no less frequently than weekly. These reviews should include at a minimum the roles listed below:
+
+ * Global Administrator
+ * Exchange Administrator
+ * SharePoint Administrator
+ * Teams Administrator
+ * Security Administrator
+
+ **NOTE** : An access review is created for each role selected after completing the process.
+ ",
+ "rationale": "Regular review of critical high privileged roles in Entra ID will help identify role drift, or potential malicious activity. This will enable the practice and application of `separation of duties` where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.",
+ "impact": null,
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review",
+ "https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.3.3",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Access reviews' for High Privileged Users are configured",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_high_privileged_roles_access_review_not_present",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/IAM/monkey/entra-id-missing-cloud-only-administrative-account.json b/rules/findings/EntraID/IAM/CIS3.1/entra-id-missing-cloud-only-administrative-account.json
similarity index 96%
rename from rules/findings/EntraId/IAM/monkey/entra-id-missing-cloud-only-administrative-account.json
rename to rules/findings/EntraID/IAM/CIS3.1/entra-id-missing-cloud-only-administrative-account.json
index be39edb5..71b003b4 100644
--- a/rules/findings/EntraId/IAM/monkey/entra-id-missing-cloud-only-administrative-account.json
+++ b/rules/findings/EntraID/IAM/CIS3.1/entra-id-missing-cloud-only-administrative-account.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -30,7 +30,8 @@
{
"name": "CIS Microsoft Microsoft 365 Foundations",
"version": "3.1.0",
- "reference": "1.1.1"
+ "reference": "1.1.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -92,13 +93,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -131,3 +134,4 @@
]
}
+
diff --git a/rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection.json b/rules/findings/EntraID/MFA/CIS3.1/eid-microsoft-authenticator-lack-mfa-fatigue-protection.json
similarity index 95%
rename from rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection.json
rename to rules/findings/EntraID/MFA/CIS3.1/eid-microsoft-authenticator-lack-mfa-fatigue-protection.json
index 4266e71e..329c0b5b 100644
--- a/rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection.json
+++ b/rules/findings/EntraID/MFA/CIS3.1/eid-microsoft-authenticator-lack-mfa-fatigue-protection.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -25,7 +25,12 @@
"https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match"
],
"compliance": [
- "Monkey365"
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.3.1",
+ "profile": "E3 Level 1"
+ }
],
"level": "medium",
"tags": [
@@ -121,13 +126,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -158,3 +165,4 @@
]
}
+
diff --git a/rules/findings/EntraID/MFA/CIS3.1/eid-users-mfa-capable-not-enabled.json b/rules/findings/EntraID/MFA/CIS3.1/eid-users-mfa-capable-not-enabled.json
new file mode 100644
index 00000000..67db52af
--- /dev/null
+++ b/rules/findings/EntraID/MFA/CIS3.1/eid-users-mfa-capable-not-enabled.json
@@ -0,0 +1,106 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure password protection is enabled for on-prem Active Directory",
+ "description": "Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy. Ensure all member users are `MFA capable`.",
+ "rationale": "Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Users who are not MFA Capable have never registered a strong authentication method for multifactor authentication that is within policy and may not be using MFA. This could be a result of having never signed in, exclusion from a Conditional Access (CA) policy requiring MFA, or a CA policy does not exist. Reviewing this list of users will help identify possible lapses in policy or procedure.",
+ "impact": "When using the UI audit method guest users will appear in the report and unless the organization is applying MFA rules to guests then they will need to be manually filtered. Accounts that provide on-premises directory synchronization also appear in these reports.",
+ "remediation": {
+ "text": "Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies.",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/update-mgreportauthenticationmethoduserregistrationdetail?view=graph-powershell-1.0#-ismfacapable",
+ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies",
+ "https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool",
+ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-methods-activity"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.3.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "Ensure all member users are 'MFA capable'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_users_mfa_capable_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/PIM/CIS3.1/eid-pim-is-used-to-manage-roles.json b/rules/findings/EntraID/PIM/CIS3.1/eid-pim-is-used-to-manage-roles.json
new file mode 100644
index 00000000..0a5f4c55
--- /dev/null
+++ b/rules/findings/EntraID/PIM/CIS3.1/eid-pim-is-used-to-manage-roles.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Identity Protection",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Privileged Identity Management' is used to manage roles",
+ "description": "Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.",
+ "rationale": "Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Entra ID. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.",
+ "impact": "Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.3.1",
+ "profile": "E5 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Privileged Identity Management' is used to manage roles",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_pim_not_in_use",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-seconds-policy.json b/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-seconds-policy.json
new file mode 100644
index 00000000..dfcd755b
--- /dev/null
+++ b/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-seconds-policy.json
@@ -0,0 +1,132 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "General",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'",
+ "description": "The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.",
+ "rationale": "Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a lockedout state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.",
+ "impact": "
+ If account lockout duration is set too low (less than 60 seconds), malicious actors can perform more password spray and brute-force attempts over a given period of time.
+ If the account lockout duration is set too high (more than 300 seconds) users may experience inconvenient delays during lockout.
+ ",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. From Azure Home select the Portal Menu.
+ 2. Select Microsoft Entra ID.
+ 3. Under Manage, select Security.
+ 4. Under Manage, select Authentication methods.
+ 5. Under Manage, select Password protection.
+ 6. Set the Lockout duration in seconds to 60 or higher.
+ 7. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout#manage-microsoft-entra-smart-lockout-values"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.7",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "aad_password_protection_policy",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "lockoutDurationInSeconds",
+ "ge",
+ "60"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_incorrect_account_lockout_seconds",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-threshold-policy.json b/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-threshold-policy.json
new file mode 100644
index 00000000..9628fa44
--- /dev/null
+++ b/rules/findings/EntraID/Policy/CIS3.0/eid-account-lockout-threshold-policy.json
@@ -0,0 +1,133 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "General",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that account 'Lockout Threshold' is less than or equal to '10'",
+ "description": "The account lockout threshold determines how many failed login attempts are permitted prior to placing the account in a locked-out state and initiating a variable lockout duration.",
+ "rationale": "Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a lockedout state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.",
+ "impact": "
+ If account lockout threshold is set too low (less than 3), users may experience frequent lockout events and the resulting security alerts may contribute to alert fatigue.
+ If account lockout threshold is set too high (more than 10), malicious actors can programmatically execute more password attempts in a given period of time.
+ ",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+ 1. From Azure Home select the Portal Menu.
+ 2. Select Microsoft Entra ID.
+ 3. Under Manage, select Security.
+ 4. Under Manage, select Authentication methods.
+ 5. Under Manage, select Password protection.
+ 6. Set the Lockout threshold to 10 or fewer.
+ 7. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout#manage-microsoft-entra-smart-lockout-values"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.6",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "aad_password_protection_policy",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "lockoutThreshold",
+ "le",
+ "10"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "isManual":"false",
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that account 'Lockout Threshold' is less than or equal to '10'"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_incorrect_account_lockout_threshold",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-bad-password-list-disabled.json b/rules/findings/EntraID/Policy/CIS3.0/eid-custom-banned-password-list-disabled.json
similarity index 87%
rename from rules/findings/EntraId/Policy/CIS1.4/aad-bad-password-list-disabled.json
rename to rules/findings/EntraID/Policy/CIS3.0/eid-custom-banned-password-list-disabled.json
index d911bd09..e2be09f4 100644
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-bad-password-list-disabled.json
+++ b/rules/findings/EntraID/Policy/CIS3.0/eid-custom-banned-password-list-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Custom Bad Password List is set to \u0027Enforce\u0027 for your Organization",
+ "displayName": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization",
"description": "Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy.",
"rationale": "Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.",
"impact": "Increasing needed password complexity might increase overhead on administration of user account.",
@@ -26,9 +26,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.7"
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.8",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -48,10 +49,16 @@
"conditions": [
[
"customBannedPasswords.Count",
- "lt",
- "10"
+ "eq",
+ "0"
+ ],
+ [
+ "enforceCustomBannedPasswords",
+ "eq",
+ "false"
]
- ]
+ ],
+ "operator": "or"
}
]
}
@@ -77,13 +84,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -116,3 +125,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-password-expiring-enabled.json b/rules/findings/EntraID/Policy/CIS3.0/eid-password-expiring-enabled.json
similarity index 53%
rename from rules/findings/EntraId/Policy/CIS1.4/aad-password-expiring-enabled.json
rename to rules/findings/EntraID/Policy/CIS3.0/eid-password-expiring-enabled.json
index 83eb2f9a..b5be9e1e 100644
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-password-expiring-enabled.json
+++ b/rules/findings/EntraID/Policy/CIS3.0/eid-password-expiring-enabled.json
@@ -1,14 +1,19 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that Microsoft 365 Passwords Are Not Set to Expire",
- "description": "Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.",
- "rationale": "NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Microsoft Entra ID.",
- "impact": "The primary impact associated with this change is ensuring that users understand the process for making or requesting a password change when required.",
+ "displayName": "Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'",
+ "description": "Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all.",
+ "rationale": "Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID.",
+ "impact": "
+ When setting passwords not to expire it is important to have other controls in place to supplement this setting. See below for related recommendations and user guidance.
+ * Ban common passwords.
+ * Educate users to not reuse organization passwords anywhere else.
+ * Enforce Multi-Factor Authentication registration for all users.
+ ",
"remediation": {
"text": "###### To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Expand `Settings` then select the `Org Settings` subcategory.\r\n\t\t\t\t\t2. Click on `Security \u0026 privacy`.\r\n\t\t\t\t\t3. Select `Password expiration policy`.\r\n\t\t\t\t\t4. If the `Set user passwords to expire after a number of days box` is checked, uncheck it.\r\n\t\t\t\t\t5. Click `Save`.",
"code": {
@@ -20,13 +25,16 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide"
+ "https://pages.nist.gov/800-63-3/sp800-63b.html",
+ "https://www.cisecurity.org/white-papers/cis-password-policy-guide/",
+ "https://learn.microsoft.com/en-US/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide"
],
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.5"
+ "version": "3.1.0",
+ "reference": "1.3.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -75,13 +83,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -106,7 +116,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_password_expiring_enabled",
+ "idSuffix": "eid_password_expiring_enabled",
"notes": [
],
@@ -114,3 +124,4 @@
]
}
+
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-stay_signed_policy-disabled.json b/rules/findings/EntraID/Policy/CIS3.0/eid-stay_signed_policy-disabled.json
similarity index 89%
rename from rules/findings/EntraId/Policy/CIS1.4/aad-stay_signed_policy-disabled.json
rename to rules/findings/EntraID/Policy/CIS3.0/eid-stay_signed_policy-disabled.json
index 798c82a4..426462c9 100644
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-stay_signed_policy-disabled.json
+++ b/rules/findings/EntraID/Policy/CIS3.0/eid-stay_signed_policy-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure the option to stay signed in is disabled",
+ "displayName": "Ensure the option to remain signed in is hidden",
"description": "The option for the user to `Stay signed in` or the `Keep me signed in` option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically this lasts for 90 days and does not prompt for sign-in or Multi-Factor.",
"rationale": "Allowing users to select this option presents risk, especially in the even that the user signs into their account on a publicly accessible computer/web browser. In this case anyone with access to the profile said users utilized would have access to their account when directing the web browser to office.com.",
"impact": "Once you have changed this setting users will no longer be prompted upon sign-in with the message `Stay signed in?`. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.",
@@ -24,12 +24,13 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.16"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.2.5",
+ "profile": "E3 Level 2"
}
],
- "level": "medium",
+ "level": "low",
"tags": [
],
@@ -84,13 +85,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -115,7 +118,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_keep_me_sign_disabled",
+ "idSuffix": "eid_keep_me_sign_disabled",
"notes": [
],
@@ -123,3 +126,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Policy/CIS3.1/eid-password-protection-on-prem-not-enabled.json b/rules/findings/EntraID/Policy/CIS3.1/eid-password-protection-on-prem-not-enabled.json
new file mode 100644
index 00000000..f9e2d700
--- /dev/null
+++ b/rules/findings/EntraID/Policy/CIS3.1/eid-password-protection-on-prem-not-enabled.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Conditional Access",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure password protection is enabled for on-prem Active Directory",
+ "description": "
+ Microsoft Entra Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list. To protect on-premises Active Directory Domain Services (AD DS) environment, install and configure Entra Password Protection.
+ **Note** : This recommendation applies to Hybrid deployments only and will have no impact unless working with on-premises Active Directory.
+ ",
+ "rationale": "This feature protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.",
+ "impact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra Password Protection may require users to change passwords and adhere to more stringent requirements than they have been accustomed to.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ * Download and install the Azure AD Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
+ After installed follow the steps below.
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Protection select Authentication methods.
+ 3. Select Password protection and set Enable password protection on Windows
+ Server Active Directory to Yes and Mode to Enforced.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-ban-bad-on-premises-operations"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.3.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "Ensure password protection is enabled for on-prem Active Directory",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": "displayName",
+ "resourceId": "id",
+ "resourceType": "@odata.context"
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "aad_on_prem_password_protection_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-restrict-collaboration-specific-domains-disabled.json b/rules/findings/EntraID/Policy/CIS3.1/eid-restrict-collaboration-specific-domains-disabled.json
similarity index 75%
rename from rules/findings/EntraId/Policy/CIS1.4/aad-restrict-collaboration-specific-domains-disabled.json
rename to rules/findings/EntraID/Policy/CIS3.1/eid-restrict-collaboration-specific-domains-disabled.json
index 106686a1..c273cb9e 100644
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-restrict-collaboration-specific-domains-disabled.json
+++ b/rules/findings/EntraID/Policy/CIS3.1/eid-restrict-collaboration-specific-domains-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,8 +6,12 @@
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
"displayName": "Ensure that collaboration invitations are sent to allowed domains only",
- "description": "Users should be able to send collaboration invitations to allowed domains only.",
- "rationale": "By specifying allowed domains for collaborations, external users companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and give them access to resources.",
+ "description": "
+ B2B collaboration is a feature within Microsoft Entra External ID that allows for guest invitations to an organization.
+ Ensure users can only send invitations to specified domains.
+ *NOTE* : This list works independently from OneDrive for Business and SharePoint Online allow/block lists. To restrict individual file sharing in SharePoint Online, set up an allow or blocklist for OneDrive for Business and SharePoint Online. For instance, in SharePoint or OneDrive users can still share with external users from prohibited domains by using Anyone links if they haven't been disabled.
+ ",
+ "rationale": "By specifying allowed domains for collaborations, external user's companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and granting them access to resources.",
"impact": "This could make harder collaboration if the setting is not quickly updated when a new domain is identified as `allowed`.",
"remediation": {
"text": "###### From Azure Portal\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t4. Under `External users`, click on `Manage external collaboration settings` \r\n\t\t\t\t\t5. Under `Collaboration restrictions`, select `Allow invitations only to the specified domains (most restrictive)`, check the Target domains setting, and specify the domains allowed to collaborate.",
@@ -30,12 +34,13 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.13"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.6.1",
+ "profile": "E3 Level 2"
}
],
- "level": "medium",
+ "level": "low",
"tags": [
],
@@ -87,13 +92,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -118,7 +125,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_restrict_collaboration_specific_domains_disabled",
+ "idSuffix": "eid_restrict_collaboration_specific_domains_disabled",
"notes": [
],
@@ -126,3 +133,4 @@
]
}
+
diff --git a/rules/findings/EntraID/Reports/CIS3.1/eid-application-usage-report-is-reviewed.json b/rules/findings/EntraID/Reports/CIS3.1/eid-application-usage-report-is-reviewed.json
new file mode 100644
index 00000000..85d7568f
--- /dev/null
+++ b/rules/findings/EntraID/Reports/CIS3.1/eid-application-usage-report-is-reviewed.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Groups",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure the Application Usage report is reviewed at least weekly",
+ "description": "The Application Usage report includes a usage summary for all Software as a Service (SaaS) applications that are integrated with the organization's directory.",
+ "rationale": "Review the list of app registrations on a regular basis to look for risky apps that users have enabled that could cause data spillage or accidental elevation of privilege. Attackers can often get access to data illicitly through third-party SaaS applications.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To review the Application Usage report:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Identity > Applications select Enterprise applications.
+ 3. Under Activity select Usage & insights.
+ 4. Review the information.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule",
+ "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership",
+ "https://learn.microsoft.com/en-us/azure/active-directory/external-identities/use-dynamic-groups"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.5.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the Application Usage report is reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_application_usage_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Reports/CIS3.1/eid-risky-sign-ins-report-is-reviewed.json b/rules/findings/EntraID/Reports/CIS3.1/eid-risky-sign-ins-report-is-reviewed.json
new file mode 100644
index 00000000..57b92a9b
--- /dev/null
+++ b/rules/findings/EntraID/Reports/CIS3.1/eid-risky-sign-ins-report-is-reviewed.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Identity Protection",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure the Entra ID 'Risky sign-ins' report is reviewed at least weekly",
+ "description": "
+ This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
+ * Successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords.
+ * Signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network).
+ * Successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have travelled between those regions.
+ ",
+ "rationale": "Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To review the 'Risky sign-ins' report:
+ 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
+ 2. Click expand Protection select Risky activities.
+ 3. Under Report click on Risky sign-ins.
+ 4. Review by Risk level (aggregate).
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.6.1",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the Entra ID'Risky sign-ins' report is reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_sign_in_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Reports/CIS3.1/eid-sspr-password-reset-activity-report-is-reviewed.json b/rules/findings/EntraID/Reports/CIS3.1/eid-sspr-password-reset-activity-report-is-reviewed.json
new file mode 100644
index 00000000..e0d16034
--- /dev/null
+++ b/rules/findings/EntraID/Reports/CIS3.1/eid-sspr-password-reset-activity-report-is-reviewed.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Identity Protection",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure the self-service password reset activity report is reviewed at least weekly",
+ "description": "The Microsoft 365 platform allows users to reset their password in the event they forget it. The self-service password reset activity report logs each time a user successfully resets their password this way. The self-service password reset activity report should be reviewed at least weekly.",
+ "rationale": "An attacker will commonly compromise an account, then change the password to something they control and can manage.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To review the self-service password reset activity report:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Protection > Password reset select Audit logs.
+ 3. Review the list of users who have reset their passwords by setting the Date to Last 7 days and Service to Self-service Password Management
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-reporting",
+ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.4.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the self-service password reset activity report is reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_sspr_password_reset_activity_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-admin-disabled.json b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-admin-other-admins-on-password-reset-disabled.json
similarity index 77%
rename from rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-admin-disabled.json
rename to rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-admin-other-admins-on-password-reset-disabled.json
index 7d4e1fd0..91130a85 100644
--- a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-admin-disabled.json
+++ b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-admin-other-admins-on-password-reset-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \"Notify all admins when other admins reset their password?\" is set to \"Yes\"",
- "description": "Ensure that all administrators are notified if any other administrator resets their password.",
+ "displayName": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'",
+ "description": "Ensure that all global administrators are notified if any other administrator resets their password.",
"rationale": "Administrator accounts are sensitive. Any password reset activity notification, when sent to all administrators, ensures that all administrators can passively confirm if such a reset is a common pattern within their group. For example, if all administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.",
- "impact": null,
+ "impact": "All Global Administrators will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Administrators. There is additional overhead, however, in the time required for Global Administrators to audit the notifications. This setting is only useful if all Global Administrators pay attention to the notifications and audit each one.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `Password reset`\r\n\t\t\t\t\t\t4. Go to `Notification`\r\n\t\t\t\t\t\t4. Click on `Notify all admins when other admins reset their password?` to `Yes`",
"code": {
@@ -29,8 +29,9 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.3.1",
- "reference": "1.1.8"
+ "version": "3.0.0",
+ "reference": "2.11",
+ "profile":"Level 1"
}
],
"level": "medium",
@@ -59,6 +60,7 @@
]
}
],
+ "isManual": false,
"shouldExist": null,
"returnObject": null,
"removeIfNotExists": null
@@ -80,13 +82,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -111,7 +115,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_sspr_notify_admins_disabled",
+ "idSuffix": "eid_sspr_notify_admins_on_password_reset_disabled",
"notes": [
],
@@ -119,3 +123,4 @@
]
}
+
diff --git a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-users-disabled.json b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-users-on-password-reset-disabled.json
similarity index 84%
rename from rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-users-disabled.json
rename to rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-users-on-password-reset-disabled.json
index d6db11e2..05c75a2f 100644
--- a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-notify-users-disabled.json
+++ b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-notify-users-on-password-reset-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \"Notify users on password resets?\" is set to \"Yes\"",
+ "displayName": "Ensure that 'Notify users on password resets?' is set to 'Yes'",
"description": "Ensure that users are notified on their primary and secondary emails on password resets.",
"rationale": "User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.",
- "impact": null,
+ "impact": "Users will receive emails alerting them to password changes to both their primary and alternate emails.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `Password reset`\r\n\t\t\t\t\t\t4. Go to `Notification`\r\n\t\t\t\t\t\t4. Click on `Notify users on password resets?` to `Yes`",
"code": {
@@ -27,13 +27,14 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.3.1",
- "reference": "1.1.7"
+ "version": "3.0.0",
+ "reference": "2.10",
+ "profile":"Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.1.4",
+ "Microsoft 365 CIS benchmark",
"CIS Microsoft Azure Foundations"
],
"rule": {
@@ -78,13 +79,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -109,7 +112,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_sspr_notify_users_disabled",
+ "idSuffix": "eid_sspr_notify_users_on_password_reset_disabled",
"notes": [
],
@@ -117,3 +120,4 @@
]
}
+
diff --git a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-mfa-reconfirm-days.json b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-number-of-days-mfa-reconfirm-days.json
similarity index 75%
rename from rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-mfa-reconfirm-days.json
rename to rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-number-of-days-mfa-reconfirm-days.json
index e7f14b8d..e684afa4 100644
--- a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-mfa-reconfirm-days.json
+++ b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-number-of-days-mfa-reconfirm-days.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure That \"Number of days before users are asked to re-confirm their authentication information\" is not set to \"0\"",
+ "displayName": "Ensure that 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'",
"description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.",
- "rationale": "This setting is necessary if you have setup \u0027Require users to register when signing in option\u0027. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user, such as a phone number or email changes, then the password reset information for that user reverts to the previously registered authentication information.",
+ "rationale": "This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.",
"impact": "",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `Password reset`\r\n\t\t\t\t\t\t4. Go to `Registration`\r\n\t\t\t\t\t\t4. Ensure that `Number of days before users are asked to re-confirm their authentication information` is not set to `0`",
@@ -27,13 +27,14 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.6"
+ "version": "3.0.0",
+ "reference": "2.9",
+ "profile":"Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.6",
+ "Microsoft 365 CIS benchmark",
"CIS Microsoft Azure Foundations"
],
"rule": {
@@ -78,13 +79,16 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
+ "isManual":false,
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -109,7 +113,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_sspr_mfa_auth_reconfirm_disabled",
+ "idSuffix": "eid_sspr_mfa_auth_reconfirm_disabled",
"notes": [
],
@@ -117,3 +121,4 @@
]
}
+
diff --git a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-reset-methods.json b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-reset-number-of-methods.json
similarity index 80%
rename from rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-reset-methods.json
rename to rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-reset-number-of-methods.json
index 52b44e16..bc002b84 100644
--- a/rules/findings/EntraId/SSPR/CIS1.4/azure-activedirectory-sspr-reset-methods.json
+++ b/rules/findings/EntraID/SSPR/CIS3.0/eid-sspr-reset-number-of-methods.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "EntraID",
"serviceType": "Identity Protection",
"serviceName": "Microsoft Entra ID",
- "displayName": "Ensure That \u0027Number of methods required to reset\u0027 is set to \u00272\u0027",
+ "displayName": "Ensure That 'Number of methods required to reset' is set to '2'",
"description": "Ensures that two alternate forms of identification are provided before allowing a password reset.",
- "rationale": "With a Self-service Password Reset (SSPR) that uses Azure Multi-factor Authentication (MFA) ensures the user\u0027s identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user\u0027s password.",
+ "rationale": "A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.",
"impact": "There may be administrative overhead as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be an organization wide security policy and training to teach administrators to verify the identity of the requesting user, so that social engineering can not render this setting useless.",
"remediation": {
"text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `Password reset`\r\n\t\t\t\t\t\t4. Go to `Authentication methods`\r\n\t\t\t\t\t\t4. Ensure that `Number of methods required to reset` is set to `2`",
@@ -27,13 +27,14 @@
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.5"
+ "version": "3.0.0",
+ "reference": "2.5",
+ "profile":"Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.5",
+ "Microsoft 365 CIS benchmark",
"CIS Microsoft Azure Foundations"
],
"rule": {
@@ -57,6 +58,7 @@
]
}
],
+ "isManual":"false",
"shouldExist": null,
"returnObject": null,
"removeIfNotExists": null
@@ -78,13 +80,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -109,7 +113,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_sspr_auth_methods_not_enforced",
+ "idSuffix": "eid_sspr_auth_methods_not_enforced",
"notes": [
],
@@ -117,3 +121,4 @@
]
}
+
diff --git a/rules/findings/EntraID/SSPR/CIS3.1/eid-sspr-enabled-set-to-all.json b/rules/findings/EntraID/SSPR/CIS3.1/eid-sspr-enabled-set-to-all.json
new file mode 100644
index 00000000..91c9d375
--- /dev/null
+++ b/rules/findings/EntraID/SSPR/CIS3.1/eid-sspr-enabled-set-to-all.json
@@ -0,0 +1,120 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Identity Protection",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Self service password reset enabled' is set to 'All'",
+ "description": "
+ Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed.
+ **NOTE** : Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.
+ ",
+ "rationale": "Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.",
+ "impact": "
+ Users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets.
+ **NOTE** : This is unavailable if using Entra Connect / Sync in a hybrid environment.
+ ",
+ "remediation": {
+ "text": "
+ ###### To enable self-service password reset:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Protection > Password reset select Properties.
+ 3. Set Self service password reset enabled to All
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.2.4.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "isManual":false,
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Self service password reset enabled' is set to 'All'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_sspr_disabled_not_enabled_all",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-disabled.json b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-disabled.json
new file mode 100644
index 00000000..8c785419
--- /dev/null
+++ b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-disabled.json
@@ -0,0 +1,124 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "General",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure Security Defaults is enabled on Microsoft Entra ID",
+ "description": "
+ #### IMPORTANT - Please read the section overview
+ If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.",
+ "rationale": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
For example, doing the following:
* Requiring all users and admins to register for MFA.
* Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
* Disabling authentication from legacy authentication clients, which can’t do MFA.",
+ "impact": "This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Microsoft Entra ID may impact other Microsoft services such as Microsoft 365.",
+ "remediation": {
+ "text": "###### From Azure Portal
To enable security defaults in your directory:
1. From Azure Home select the Portal Menu.
2. Browse to `Microsoft Entra ID` > Properties
3. Select `Manage security defaults`
4. Under `Security defaults`, select `Enabled (recommended)`.
5. Select `Save`",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+ "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "2.1.1",
+ "Profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "aad_security_default_status",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ {
+ "filter": [
+ {
+ "conditions": [
+ [
+ "securityDefaultsEnabled",
+ "eq",
+ "False"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Security Defaults is disabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "aad_sbd_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/General/CIS1.4/aad-security-defaults-disabled.json b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-enabled.json
similarity index 92%
rename from rules/findings/EntraId/General/CIS1.4/aad-security-defaults-disabled.json
rename to rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-enabled.json
index d412b7a3..c215ead0 100644
--- a/rules/findings/EntraId/General/CIS1.4/aad-security-defaults-disabled.json
+++ b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-security-defaults-enabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -27,14 +27,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.21"
+ "name": "CIS Microsoft Azure Foundations Benchmark",
+ "version": "3.0.0",
+ "reference": "2.1.1",
+ "profile": "Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 1.21"
],
"rule": {
"path": "aad_security_default_status",
@@ -78,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -109,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "aad_sbd_disabled",
+ "idSuffix": "eid_sbd_disabled",
"notes": [
],
@@ -117,3 +119,4 @@
]
}
+
diff --git a/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-users-remember-mfa-on-devices-disabled.json b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-users-remember-mfa-on-devices-disabled.json
new file mode 100644
index 00000000..c4ae21d4
--- /dev/null
+++ b/rules/findings/EntraID/SecurityDefaults/CIS3.0/entra-users-remember-mfa-on-devices-disabled.json
@@ -0,0 +1,108 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "General",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled",
+ "description": "
+ ###### IMPORTANT - Please read the section overview
+ If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
+ Do not allow users to remember multi-factor authentication on devices.
+ ",
+ "rationale": "Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.",
+ "impact": "For every login attempt, the user will be required to perform multi-factor authentication.",
+ "remediation": {
+ "text": "
+ ###### Remediate from Azure Portal
+
+ 1. From Azure Home select the Portal Menu
+ 2. Select `Microsoft Entra ID` blade
+ 3. Under `Manage`, click `Users`
+ 4. Click on the `Per-User MFA` button in the top row menu
+ 5. Click on `Service settings`
+ 6. Uncheck the box next to `Allow users to remember multi-factor authentication on devices they trust`
+ 7. Click `Save`
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication-for-devices-that-users-trust",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access",
+ "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.1.4",
+ "profile": "Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "isManual": "true",
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "false"
+ },
+ "output": {
+ "html": {
+ "data": {
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": "",
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+ },
+ "expandObject": ""
+ },
+ "status": {
+ "keyName": [
+ ],
+ "message": "",
+ "defaultMessage": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled"
+ },
+ "properties": {
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_users_remember_mfa_trusted_devices_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraID/Users/CIS3.1/eid-per-user-mfa-disabled.json b/rules/findings/EntraID/Users/CIS3.1/eid-per-user-mfa-disabled.json
new file mode 100644
index 00000000..56ad3798
--- /dev/null
+++ b/rules/findings/EntraID/Users/CIS3.1/eid-per-user-mfa-disabled.json
@@ -0,0 +1,115 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Users",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure 'Per-user MFA' is disabled",
+ "description": "Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA).",
+ "rationale": "Both security defaults and conditional access with security defaults turned off are not compatible with per-user multi-factor authentication (MFA), which can lead to undesirable user authentication states. The CIS Microsoft 365 Benchmark explicitly employs Conditional Access for MFA as an enhancement over security defaults and as a replacement for the outdated per-user MFA. To ensure a consistent authentication state disable per-user MFA on all accounts.",
+ "impact": "
+ Accounts using per-user MFA will need to be migrated to use CA.
+ Prior to disabling per-user MFA the organization must be prepared to implement conditional access MFA to avoid security gaps and allow for a smooth transition. This will help ensure relevant accounts are covered by MFA during the change phase from disabling per-user MFA to enabling CA MFA. Section 5.2.2 in this document covers creating of a CA rule for both administrators and all users in the tenant. Microsoft has documentation on migrating from per-user MFA Convert users from per-user MFA to Conditional Access based MFA https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa .
+ ",
+ "remediation": {
+ "text": "
+ ###### Disable per-user MFA using the UI:
+ 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
+ 2. Click to expand Identity > Users select All users.
+ 3. Click on Per-user MFA on the top row.
+ 4. Click the empty box next to Display Name to select all accounts.
+ 5. On the far right under quick steps click Disable.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#convert-users-from-per-user-mfa-to-conditional-access",
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide#use-conditional-access-policies",
+ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#convert-per-user-mfa-enabled-and-enforced-users-to-disabled"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "5.1.2.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Per-user MFA' is disabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "eid_per_user_mfa_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-high-risk-users-not-enabled.json b/rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-high-risk-users-not-enabled.json
deleted file mode 100644
index 3b2be8ae..00000000
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-cap-block-high-risk-users-not-enabled.json
+++ /dev/null
@@ -1,159 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Conditional Access",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Conditional Access Policy exists to block users categorized as high risk",
- "description": "Use Conditional Access to block users categorized as high risk.",
- "rationale": "Blocking high-risk users may prevent compromised accounts from accessing the tenant.",
- "impact": "",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
- "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
- "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
- ],
- "compliance": [
- "Monkey365"
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_conditional_access_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "state",
- "ne",
- "true"
- ],
- [
- "conditions.users.includeUsers",
- "eq",
- "All"
- ],
- [
- "conditions.applications.includeApplications",
- "eq",
- "All"
- ]
- ],
- "operator": "and"
- },
- {
- "conditions": [
- [
- "conditions.userRiskLevels",
- "match",
- "high"
- ]
- ]
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "grantControls.builtInControls",
- "eq",
- "block"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "displayName": "Name",
- "state": "Status",
- "conditions.applications.includeApplications": "Applications",
- "conditions.users.includeUsers": "Users",
- "conditions.userRiskLevels": "User Risk Levels",
- "grantControls.operator": "Operator",
- "grantControls.builtInControls": "BuiltIn Controls"
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
- "displayName": "displayName",
- "id": "id",
- "@odata.context": "type"
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
- "displayName"
- ],
- "message": "The {displayName} policy is not configured to block users categorized as high risk",
- "defaultMessage": "Ensure that a Conditional Access Policy exists to block users categorized as high risk"
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "id",
- "resourceType": "type"
- },
- "onlyStatus": true
- }
- },
- "idSuffix": "aad_cap_block_high_risk_users",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-all-users-missing-cap.json b/rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-all-users-missing-cap.json
deleted file mode 100644
index be307103..00000000
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-ensure-phishing-resistant-mfa-for-all-users-missing-cap.json
+++ /dev/null
@@ -1,155 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Conditional Access",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a phishing-resistant Multi-factor Authentication Policy Exists for All Users",
- "description": "For designated users, they will be prompted to use their phishing-resistant multi-factor authentication (MFA) process on logins.",
- "rationale": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.",
- "impact": "There is an increased cost, as Conditional Access policies require Microsoft Entra ID Premium. Similarly, this may require additional overhead to maintain if users lose access to their MFA.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
- "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
- "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
- ],
- "compliance": [
- {
- "name": "Monkey365",
- "version": "0.91.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_conditional_access_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "state",
- "eq",
- "true"
- ],
- [
- "conditions.users.includeUsers",
- "eq",
- "All"
- ],
- [
- "conditions.applications.includeApplications",
- "eq",
- "All"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "grantControls.operator",
- "eq",
- "OR"
- ],
- [
- "grantControls.authenticationStrength.id",
- "imatch",
- "00000000-0000-0000-0000-000000000004"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "displayName": "Name",
- "state": "Status",
- "conditions.applications.includeApplications": "Applications",
- "conditions.users.includeUsers": "Users",
- "grantControls.operator": "Operator",
- "grantControls.authenticationStrength.displayName": "Authentication Strength"
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
- "displayName"
- ],
- "message": "The {displayName} policy is not configured to require phishing-resistant MFA for all users",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "id",
- "resourceType": "@odata.context"
- },
- "onlyStatus": true
- }
- },
- "idSuffix": "aad_cap_force_phishing_resistant_mfa_all_users",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-all-apps-missing-cap.json b/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-all-apps-missing-cap.json
deleted file mode 100644
index 1047e245..00000000
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-all-apps-missing-cap.json
+++ /dev/null
@@ -1,158 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Conditional Access",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Conditional Access Policy exists to require device marked as compliant",
- "description": "Use Conditional Access to require a user\u0027s device to be either Microsoft Entra hybrid joined or compliant during authentication.",
- "rationale": "The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency.",
- "impact": "",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
- "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
- "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
- ],
- "compliance": [
- "Monkey365"
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_conditional_access_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "state",
- "eq",
- "true"
- ],
- [
- "conditions.users.includeUsers",
- "eq",
- "All"
- ],
- [
- "conditions.applications.includeApplications",
- "eq",
- "All"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "grantControls.operator",
- "eq",
- "OR"
- ],
- [
- "grantControls.builtInControls",
- "match",
- "compliantDevice"
- ],
- [
- "grantControls.builtInControls",
- "match",
- "domainJoinedDevice"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "displayName": "Name",
- "state": "Status",
- "conditions.applications.includeApplications": "Applications",
- "conditions.users.includeUsers": "Users",
- "grantControls.operator": "Operator",
- "grantControls.builtInControls": "BuiltIn Controls"
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
- "displayName"
- ],
- "message": "The {displayName} policy is not configured to require a compliant device",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "id",
- "resourceType": "@odata.context"
- },
- "onlyStatus": true
- }
- },
- "idSuffix": "aad_cap_block_signIn_risk",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-to-register-security-info-missing-cap.json b/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-to-register-security-info-missing-cap.json
deleted file mode 100644
index 38405a39..00000000
--- a/rules/findings/EntraId/Conditional Access/monkey/aad-require-device-compliant-to-register-security-info-missing-cap.json
+++ /dev/null
@@ -1,158 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Conditional Access",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that a Conditional Access Policy exists to require device marked as compliant when registering for security information.",
- "description": "Use Conditional Access to require a user\u0027s device to be either Microsoft Entra hybrid joined or compliant during MFA registration.",
- "rationale": "Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.",
- "impact": "",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID\r\n\t\t\t\t\t2. Scroll down in the menu on the left, and select `Security`\r\n\t\t\t\t\t3. Select on the left side `Conditional Access`\r\n\t\t\t\t\t4. Click the `+ New policy`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa",
- "https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if",
- "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access",
- "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
- ],
- "compliance": [
- "Monkey365"
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_conditional_access_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "state",
- "eq",
- "true"
- ],
- [
- "conditions.users.includeUsers",
- "eq",
- "All"
- ],
- [
- "conditions.applications.includeApplications",
- "eq",
- "All"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "grantControls.operator",
- "eq",
- "OR"
- ],
- [
- "grantControls.builtInControls",
- "match",
- "compliantDevice"
- ],
- [
- "grantControls.builtInControls",
- "match",
- "domainJoinedDevice"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "displayName": "Name",
- "state": "Status",
- "conditions.applications.includeApplications": "Applications",
- "conditions.users.includeUsers": "Users",
- "grantControls.operator": "Operator",
- "grantControls.builtInControls": "BuiltIn Controls"
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
- "displayName"
- ],
- "message": "The {displayName} policy is not configured to require a compliant or hybrid Entra ID joined device",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "id",
- "resourceType": "@odata.context"
- },
- "onlyStatus": true
- }
- },
- "idSuffix": "aad_cap_block_signIn_risk",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/CIS1.4/aad-password-protection-disabled.json b/rules/findings/EntraId/General/CIS1.4/aad-password-protection-disabled.json
deleted file mode 100644
index a1a424ec..00000000
--- a/rules/findings/EntraId/General/CIS1.4/aad-password-protection-disabled.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that password protection is enabled for Active Directory",
- "description": "Enable Microsoft Entra ID Password Protection to Active Directory to protect against the use of common passwords.",
- "rationale": "Microsoft Entra ID protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.",
- "impact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.5"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_password_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "enforceCustomBannedPasswords",
- "eq",
- "false"
- ],
- [
- "enableBannedPasswordCheckOnPremises",
- "eq",
- "false"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Password protection is disabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_password_protection_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/CIS1.4/aad-security-defaults-enabled.json b/rules/findings/EntraId/General/CIS1.4/aad-security-defaults-enabled.json
deleted file mode 100644
index c508306a..00000000
--- a/rules/findings/EntraId/General/CIS1.4/aad-security-defaults-enabled.json
+++ /dev/null
@@ -1,121 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure Security Defaults is disabled on Microsoft Entra ID",
- "description": "Security defaults in Microsoft Entra ID (Azure Active Directory) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.\r\n\t\t\t\t\tMicrosoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. The use of security defaults however will prohibit custom settings which are being set with more advanced settings.",
- "rationale": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.\r\n\t\t\t\t\t\r\n\t\t\t\t\tFor example doing the following:\r\n\t\t\t\t\t\r\n\t\t\t\t\t* Requiring all users and admins to register for MFA.\r\n\t\t\t\t\t* Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.\r\n\t\t\t\t\t* Disabling authentication from legacy authentication clients, which can’t do MFA.",
- "impact": "The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.\r\n\t\t\t\tIt may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.\r\n\t\t\t\t\t2. Browse to Microsoft Entra ID \u003e Properties.\r\n\t\t\t\t\t3. Select Manage security defaults.\r\n\t\t\t\t\t4. Set the Enable security defaults toggle to No.\r\n\t\t\t\t\t5. Select Save.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
- "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
- "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
- "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.21"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.21"
- ],
- "rule": {
- "path": "aad_security_default_status",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "securityDefaultsEnabled",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "anyCAPolicyEnabled": "Any Conditional Access Policy Enabled",
- "securityDefaultsEnabled": "Security Defaults Enabled",
- "anyClassicPolicyEnabled": "Any Classic Policy Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Security Defaults is enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_sbd_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/CIS1.4/azure-activedirectory-apps-required-admin-consent.json b/rules/findings/EntraId/General/CIS1.4/azure-activedirectory-apps-required-admin-consent.json
deleted file mode 100644
index 3ba52a8c..00000000
--- a/rules/findings/EntraId/General/CIS1.4/azure-activedirectory-apps-required-admin-consent.json
+++ /dev/null
@@ -1,124 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Require administrators to register third-party applications",
- "description": "Consider to disable in the Azure directory from registering applications and from signing in to applications without an administrator approval. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.",
- "rationale": "It is recommended to let administrator register custom-developed applications. This ensures that the application undergoes a security review before exposing active directory data to it.",
- "impact": "This might create additional requests that administrators need to fulfill quite often.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t4. Set `Users can register applications` to `No`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added",
- "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/",
- "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
- "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx",
- "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.1.0",
- "reference": "1.11"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_directory_properties",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "usersCanRegisterApps",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "objectId": "Object Id",
- "displayName": "Display Name",
- "usersCanRegisterApps": "Users can register apps"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Users can register apps"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Uses can register third-party applications",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_3rd_apps_all_users_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/Monkey/high-risk-users-notifications-not-set-to-admins.json b/rules/findings/EntraId/General/Monkey/high-risk-users-notifications-not-set-to-admins.json
deleted file mode 100644
index dda15ac0..00000000
--- a/rules/findings/EntraId/General/Monkey/high-risk-users-notifications-not-set-to-admins.json
+++ /dev/null
@@ -1,130 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure notifications for high-risk users is Enabled for Administrators",
- "description": "Notification enables administrators to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.",
- "rationale": "This setting alerts administrators that high-risk users are detected. This may indicate an account or machine compromise that would need to be investigated.",
- "impact": "",
- "remediation": {
- "text": "",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts"
- ],
- "compliance": [
- {
- "name": "Monkey365",
- "version": "0.91.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_identityprotection_notifications",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "minRiskLevel",
- "ne",
- "high"
- ]
- ]
- }
- ]
- },
- {
- "connectOperator": "or",
- "filter": [
- {
- "conditions": [
- [
- "isRiskyUsersAlertsRecipient",
- "eq",
- "false"
- ]
- ],
- "whereObject": "notificationRecipients"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
- "email"
- ],
- "message": "{email} is not configured to receive detected alerts for high-risk users",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_high_risk_users_notification_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/Monkey/legacy-authentication-methods-enabled.json b/rules/findings/EntraId/General/Monkey/legacy-authentication-methods-enabled.json
deleted file mode 100644
index ed3e20db..00000000
--- a/rules/findings/EntraId/General/Monkey/legacy-authentication-methods-enabled.json
+++ /dev/null
@@ -1,157 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure legacy authentication methods are disabled",
- "description": "Microsoft Entra ID was not configured to block legacy authentication protocols for MFA. SMS or voice calls are considered insecure methods and could potentially be used to compromise accounts.",
- "rationale": "SMS, voice call, and email OTP are the weakest authenticators. Authentication policies should be configured to force users to use stronger MFA methods.",
- "impact": "",
- "remediation": {
- "text": "1. In Microsoft Entra ID, click Security \u003e Authentication methods. \r\n\t\t\t\t2. Click on the SMS, Voice Call, and Email OTP authentication methods and disable each of them.\r\n\t\t\t\t3. Their statuses should be Enabled \u003e No on the Authentication methods \u003e Policies page.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://skotheimsvik.no/entra-ids-mfa-evolution-your-sms-backdoor-is-now-obsolete",
- "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752"
- ],
- "compliance": [
- "Monkey365"
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_auth_method_policies",
- "subPath": "authenticationMethodConfigurations",
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "id",
- "eq",
- "Sms"
- ],
- [
- "state",
- "eq",
- "disabled"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "id",
- "eq",
- "Voice"
- ],
- [
- "state",
- "eq",
- "disabled"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "id",
- "eq",
- "Email"
- ],
- [
- "state",
- "eq",
- "disabled"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": "",
- "message": "Legacy authentication options such as SMS or voice calls were enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "Id",
- "resourceId": "Id",
- "resourceType": "@odata.type"
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_legacy_auth_methods_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection-and-otp-enabled.json b/rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection-and-otp-enabled.json
deleted file mode 100644
index 64ff94fb..00000000
--- a/rules/findings/EntraId/General/Monkey/microsoft-authenticator-lack-mfa-fatigue-protection-and-otp-enabled.json
+++ /dev/null
@@ -1,174 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure Microsoft Authenticator is configured to protect against MFA fatigue",
- "description": "Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.\r\n\t\t\t\t Ensure the following are `Enabled`.\r\n\r\n\t\t\t\t * `Require number matching for push notifications`\r\n\t\t\t\t * `Show application name in push and passwordless notifications`\r\n\t\t\t\t * `Show geographic location in push and passwordless notifications`",
- "rationale": "As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience `MFA fatigue`. This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end user\u0027s awareness. Among these 3 options, number matching provides the strongest net security gain.",
- "impact": "Additional interaction will be required by end users using number matching as opposed to simply pressing \"Approve\" for login attempts.",
- "remediation": {
- "text": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. \r\n\t\t\t\t2. Click to expand `Protection \u003e Authentication methods` select `Policies`. \r\n\t\t\t\t3. Select `Microsoft Authenticator`\r\n\t\t\t\t4. Under `Enable and Target` ensure the setting is set to `Enable`.\r\n\t\t\t\t5. Select `Configure`\r\n\t\t\t\t6. Set the following Microsoft Authenticator settings: \r\n\t\t\t\t\t* `Require number matching for push notifications Status` is set to `Enabled`, Target `All users`\r\n\t\t\t\t\t* `Show application name in push and passwordless notifications` is set to `Enabled`, Target `All users`\r\n\t\t\t\t\t* `Show geographic location in push and passwordless notifications` is set to `Enabled`, Target `All users`\r\n\t\t\t\t*Note*: Valid groups such as break glass accounts can be excluded per organization policy.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement",
- "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677",
- "https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match"
- ],
- "compliance": [
- "Monkey365"
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_auth_method_policies",
- "subPath": "authenticationMethodConfigurations",
- "selectCondition": [
- "id",
- "eq",
- "MicrosoftAuthenticator"
- ],
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "isSoftwareOathEnabled",
- "eq",
- "False"
- ]
- ]
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "featureSettings.displayAppInformationRequiredState.state",
- "eq",
- "enabled"
- ],
- [
- "featureSettings.displayAppInformationRequiredState.includeTarget.id",
- "eq",
- "all_users"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "featureSettings.numberMatchingRequiredState.state",
- "eq",
- "enabled"
- ],
- [
- "featureSettings.numberMatchingRequiredState.includeTarget.id",
- "eq",
- "all_users"
- ]
- ],
- "operator": "and"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "featureSettings.displayLocationInformationRequiredState.state",
- "eq",
- "enabled"
- ],
- [
- "featureSettings.displayLocationInformationRequiredState.includeTarget.id",
- "eq",
- "all_users"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": "",
- "message": "Microsoft Authenticator was not configured to protect against MFA fatigue",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "Id",
- "resourceId": "Id",
- "resourceType": "@odata.type"
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_mfa_fatigue_not_configured",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-access-group-features.json b/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-access-group-features.json
deleted file mode 100644
index 61aad1f5..00000000
--- a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-access-group-features.json
+++ /dev/null
@@ -1,124 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Groups",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Restrict user ability to access groups features in the Access Pane\u0027 is set to \u0027No\u0027",
- "description": "Consider to limit that regular users the ability to access group features.",
- "rationale": "Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID (Azure Active Directory). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.",
- "impact": "Enabling this setting could create a number of request that would need to me managed by administrators",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Groups`\r\n\t\t\t\t\t3. Go to `General`\r\n\t\t\t\t\t4. Ensure that `Restrict user ability to access groups features in the Access Pane` is set to `No`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups",
- "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.15"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_group_settings",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "groupsInAccessPanelEnabled",
- "eq",
- "true"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "usersCanAddExternalUsers": "Users Can Add External Users",
- "limitedAccessCanAddExternalUsers": "Limited Users Can Add External Users",
- "securityGroupsEnabled": "Security Groups Enabled",
- "groupsInAccessPanelEnabled": "Users Can Access To Groups Features"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Users Can Access To Groups Features"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Users can access groups features",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_group_feature_access_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-security-groups.json b/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-security-groups.json
deleted file mode 100644
index e439ff28..00000000
--- a/rules/findings/EntraId/Groups/CIS1.4/azure-activedirectory-users-can-create-security-groups.json
+++ /dev/null
@@ -1,123 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Groups",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Restrict security group creation to administrators only",
- "description": "Consider to prevent that regular users can create security groups. When this settings is enabled, all users in the Azure directory are allowed to create new security groups and add members to these groups.",
- "rationale": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.",
- "impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Groups`\r\n\t\t\t\t\t3. Go to `General`\r\n\t\t\t\t\t4. Ensure that `Users can create security groups in Azure Portal` is set to `No`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-self-service-management",
- "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.16"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_authorization_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "TenantAuthPolicy.defaultUserRolePermissions.allowedToCreateSecurityGroups",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "displayName": "Display Name",
- "description": "Description",
- "TenantAuthPolicy.defaultUserRolePermissions.allowedToCreateSecurityGroups": "Allowed to create Security Groups"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Allowed to create Security Groups"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Restrict security group creation to administrators only",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_restrict_security_group_creation_admins",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Guest/CIS1.4/aad-guest-can-invite.json b/rules/findings/EntraId/Guest/CIS1.4/aad-guest-can-invite.json
deleted file mode 100644
index d3ed192e..00000000
--- a/rules/findings/EntraId/Guest/CIS1.4/aad-guest-can-invite.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Users",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Restrict guest invitations",
- "description": "Consider to isolate the Microsoft Entra ID B2B collaboration feature and investigate who can invite guests. By default, all users and guests in an Azure directory can invite guests even if they\u0027re not assigned to an administrator role.",
- "rationale": "Restricting invitations to users with specific administrator roles ensures that only authorised accounts have access to cloud resources. This helps to maintain `Need to Know` permissions and prevents inadvertent access to data.\r\n\t\t\t\t\tBy default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organisation to invite guests and non-admins to the tenant, posing a security risk.",
- "impact": "With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the Azure Workspace, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users, and manually removing access from users who no longer need it.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `External Identities`\r\n\t\t\t\t\t3. Go to `External collaboration` settings\r\n\t\t\t\t\t4. Under `Guest invite settings`, for `Guest invite restrictions`, ensure that that `Only users assigned to specific admin roles can invite guest users` is selected",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews",
- "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical\u0002systems",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strateg"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.13"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_auth_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "TenantAuthPolicy.allowInvitesFrom",
- "ne",
- "adminsAndGuestInviters"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "TenantAuthPolicy.displayName": "Display Name",
- "TenantAuthPolicy.description": "Description",
- "TenantAuthPolicy.allowInvitesFrom": "Guest Invite Settings"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Guest Invite Settings"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Restrict guest invitations",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_guests_can_invite",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Guest/CIS1.4/aad-guest-users-present.json b/rules/findings/EntraId/Guest/CIS1.4/aad-guest-users-present.json
deleted file mode 100644
index d76de45e..00000000
--- a/rules/findings/EntraId/Guest/CIS1.4/aad-guest-users-present.json
+++ /dev/null
@@ -1,118 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Users",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Do not add guest users if not needed",
- "description": "Microsoft Entra ID is extended to include Microsoft Entra ID B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company\u0027s applications and services with users from any other organization, while maintaining control over your own corporate data.\r\n\t\t\t\t\t\r\n\t\t\t\t\tWork with external partners, large or small, even if they don\u0027t have Microsoft Entra ID or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company\u0027s resources a a guest user.",
- "rationale": "Guest users in the Microsoft Entra ID are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants, Guest users should be reviewed on a regular basis, at least annually, Guest users should not be granted administrative roles where possible.\r\n\t\t\t\t\t\r\n\t\t\t\t\tGuest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely leading to a potential vulnerability.\r\n\t\t\t\t\t\r\n\t\t\t\t\tGuest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed.",
- "impact": "Consider to remove guest users if not needed. By default, all users and guests in an Azure directory can enumerate users, groups, or other directory resources even if they\u0027re not assigned to an administrator role.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users and groups`\r\n\t\t\t\t\t\t3. Go to `All Users`\r\n\t\t\t\t\t\t4. Click on `Show` drop down and select `Guest users only`\r\n\t\t\t\t\t\t5. Delete all \"Guest\" users that are no longer required or are inactive.\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t\tIt is good practice to use a dynamic group to manage guest users. To create the dynamic group:\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t\t1. Navigate to the `Active Directory` blade in the Azure Portal\r\n\t\t\t\t\t\t2. Select the `Groups` item\r\n\t\t\t\t\t\t3. Create new\r\n\t\t\t\t\t\t4. Type of `dynamic`\r\n\t\t\t\t\t\t5. Use the following dynamic selection rule. \"(user.userType -eq \"Guest\")\"\r\n\t\t\t\t\t\t6. Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties",
- "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-3-review-and-reconcile-user-access-regularly"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.3.1",
- "reference": "1.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_domain_users",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "usertype",
- "eq",
- "Guest"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "mailNickname": "Mail Nick Name",
- "accountEnabled": "Account Enabled",
- "userType": "User Type"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Do not add guest users if not needed",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "userPrincipalName",
- "resourceId": "objectId",
- "resourceType": null
- },
- "onlyStatus": true
- }
- },
- "idSuffix": "aad_guest_users_present",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-only-one-global-admin.json b/rules/findings/EntraId/IAM/CIS1.4/aad-iam-only-one-global-admin.json
deleted file mode 100644
index feeb33a3..00000000
--- a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-only-one-global-admin.json
+++ /dev/null
@@ -1,127 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Microsoft Entra ID Identity",
- "serviceName": "IAM",
- "displayName": "Low number of Global Administrators",
- "description": "The total number of Global Administrators was lower than recommended. A tenancy should have more than two but fewer than five Global Administrators. Best practices recommend having at least 2 global admins in the organisation in case of account lockout or account breach.",
- "rationale": "If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.",
- "impact": "The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
- "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.3"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_role_assignment",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "templateId",
- "eq",
- "62e90394-69f5-4237-9190-012177145e10"
- ],
- [
- "totalActiveusers",
- "lt",
- "2"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": "true"
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "effectiveMembers.userPrincipalName": "User Principal Name",
- "effectiveMembers.objectType": "Object Type",
- "effectiveMembers.userType": "User Type",
- "effectiveMembers.mfaenabled": "MFA enabled"
- },
- "expandObject": "effectiveMembers"
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "False",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "a low number of Global Administrators was detected",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_only_one_global_admin",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-active-assignment.json b/rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-active-assignment.json
deleted file mode 100644
index 5ebfc319..00000000
--- a/rules/findings/EntraId/IAM/CIS1.4/aad-iam-privileged-users-active-assignment.json
+++ /dev/null
@@ -1,115 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Microsoft Entra ID Identity",
- "serviceName": "IAM",
- "displayName": "Use Just In Time privileged access to High Privileged roles",
- "description": "Microsoft Entra ID Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.",
- "rationale": "Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Microsoft Entra ID and Office 365. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.",
- "impact": "Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.",
- "remediation": {
- "text": "To configure sensitive Microsoft Entra ID roles for Privileged Identity Management Role activation, use the following steps:\r\n\t\t\r\n\t\t###### From Azure Entra portal\r\n\t\t\t1. Sign in to the Azure Entra portal as a global administrator.\r\n\t\t\t2. In the Azure Entra portal, click `Identity and Governance` and search for and click on `Privileged Identity Management`.\r\n\t\t\t3. Under `Manage` click on `Microsoft Entra ID Roles`.\r\n\t\t\t4. Under `Manage` click on `Roles`.\r\n\t\t\t5. Inspect the following sensitive roles. For each of the members that have an `ASSIGNMENT TYPE` of `Permanent`, click on the `...` and choose `Make eligible`:\r\n\r\n\t\t\t* Application Administrator\r\n\t\t\t* Authentication Administrator\r\n\t\t\t* Billing Administrator\r\n\t\t\t* Cloud Application Administrator\r\n\t\t\t* Cloud Device Administrator\r\n\t\t\t* Compliance Administrator\r\n\t\t\t* Customer LockBox Access Approver\r\n\t\t\t* Device Administrators\r\n\t\t\t* Exchange Administrators\r\n\t\t\t* Global Administrators\r\n\t\t\t* HelpDesk Administrator\r\n\t\t\t* Information Protection Administrator\r\n\t\t\t* Intune Service Administrator\r\n\t\t\t* Kaizala Administrator\r\n\t\t\t* License Administrator\r\n\t\t\t* Password Administrator\r\n\t\t\t* PowerBI Service Administrator\r\n\t\t\t* Privileged Authentication Administrator\r\n\t\t\t* Privileged Role Administrator\r\n\t\t\t* Security Administrator\r\n\t\t\t* SharePoint Service Administrator\r\n\t\t\t* Skype for Business Administrator\r\n\t\t\t* Teams Service Administrator\r\n\t\t\t* User Administrator",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure",
- "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.1.10"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_pim_active_assignment",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "include": "_ARG_0_"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "subject.principalName": "Principal Name",
- "subject.displayName": "Display Name",
- "subject.type": "Object Type",
- "roleDefinition.displayName": "Role Name",
- "assignmentState": "State"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "False",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Just In Time is not enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_pim_high_level_active_assignment",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/IAM/monkey/entra-id-members-active-assignment-outside-pim.json b/rules/findings/EntraId/IAM/monkey/entra-id-members-active-assignment-outside-pim.json
deleted file mode 100644
index f4913bd7..00000000
--- a/rules/findings/EntraId/IAM/monkey/entra-id-members-active-assignment-outside-pim.json
+++ /dev/null
@@ -1,134 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Microsoft Entra ID Identity",
- "serviceName": "IAM",
- "displayName": "Ensure permanent and eligible role assignments are not assigned outside PIM",
- "description": "Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Azure AD PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.",
- "rationale": "Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.",
- "impact": "",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
- "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
- "https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.msgraph.models.apiv10.microsoftgraphuser.onpremisessyncenabled?view=az-ps-latest",
- "https://practical365.com/listing-azure-ad-office-365-user-accounts-directory-sync-status/"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Microsoft 365 Foundations",
- "version": "3.1.0",
- "reference": "1.1.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_pim_roleAssignment",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "include": "aad-m365-privileged-roles.json"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "startDateTime",
- "eq"
- ]
- ],
- "whereObject": "activeAssignment.users"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "activeAssignment.users.userPrincipalName": "User Principal Name",
- "activeAssignment.users.startDateTime": "Start Date",
- "activeAssignment.users.userType": "User Type",
- "displayName": "Role Name"
- },
- "expandObject": "activeAssignment.users"
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
- "activeAssignment.users.userPrincipalName": "userPrincipalName",
- "activeAssignment.users.userType": "userType",
- "activeAssignment.users.id": "Id",
- "displayName": "Role Name"
- },
- "expandObject": "activeAssignment.users"
- },
- "status": {
- "keyName": [
- "userPrincipalName"
- ],
- "message": "The {userPrincipalName} user account is configured as a permanent role",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "userPrincipalName",
- "resourceId": "id",
- "resourceType": "userType"
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_pim_permanent_high_level_users",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/IAM/monkey/entra-id-members-eligible-assignment-outside-pim.json b/rules/findings/EntraId/IAM/monkey/entra-id-members-eligible-assignment-outside-pim.json
deleted file mode 100644
index 9e1050d3..00000000
--- a/rules/findings/EntraId/IAM/monkey/entra-id-members-eligible-assignment-outside-pim.json
+++ /dev/null
@@ -1,134 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Microsoft Entra ID Identity",
- "serviceName": "IAM",
- "displayName": "Ensure permanent and eligible role assignments are not assigned outside PIM",
- "description": "Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Azure AD PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.",
- "rationale": "Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.",
- "impact": "",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
- "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
- "https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.msgraph.models.apiv10.microsoftgraphuser.onpremisessyncenabled?view=az-ps-latest",
- "https://practical365.com/listing-azure-ad-office-365-user-accounts-directory-sync-status/"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Microsoft 365 Foundations",
- "version": "3.1.0",
- "reference": "1.1.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_pim_roleAssignment",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "include": "aad-m365-privileged-roles.json"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "startDateTime",
- "eq"
- ]
- ],
- "whereObject": "eligibleAssignment.users"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "eligibleAssignment.users.userPrincipalName": "User Principal Name",
- "eligibleAssignment.users.startDateTime": "Start Date",
- "eligibleAssignment.users.userType": "User Type",
- "displayName": "Role Name"
- },
- "expandObject": "eligibleAssignment.users"
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
- "eligibleAssignment.users.userPrincipalName": "userPrincipalName",
- "eligibleAssignment.users.userType": "userType",
- "eligibleAssignment.users.id": "Id",
- "displayName": "Role Name"
- },
- "expandObject": "eligibleAssignment.users"
- },
- "status": {
- "keyName": [
- "userPrincipalName"
- ],
- "message": "The {userPrincipalName} user account is configured outside PIM",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "userPrincipalName",
- "resourceId": "id",
- "resourceType": "userType"
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_pim_permanent_high_level_users",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/IAM/monkey/entra-id-pim-permanent-assignments.json b/rules/findings/EntraId/IAM/monkey/entra-id-pim-permanent-assignments.json
deleted file mode 100644
index cba7f1d4..00000000
--- a/rules/findings/EntraId/IAM/monkey/entra-id-pim-permanent-assignments.json
+++ /dev/null
@@ -1,135 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Microsoft Entra ID Identity",
- "serviceName": "IAM",
- "displayName": "Ensure active role assignments are not permanent",
- "description": "Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Azure AD PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.",
- "rationale": "Ensuring administrative accounts are cloud-only, will reduce the attack surface of high privileged identities in your environment. In order to participate in Microsoft 365 security services such as Identity protection, PIM and Conditional Access an administrative account will need a license attached to it. In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa.",
- "impact": "",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
- "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
- "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
- "https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.msgraph.models.apiv10.microsoftgraphuser.onpremisessyncenabled?view=az-ps-latest",
- "https://practical365.com/listing-azure-ad-office-365-user-accounts-directory-sync-status/"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Microsoft 365 Foundations",
- "version": "3.1.0",
- "reference": "1.1.1"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_pim_roleAssignment",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "include": "aad-m365-privileged-roles.json"
- }
- ]
- },
- {
- "connectOperator": "and",
- "filter": [
- {
- "conditions": [
- [
- "endDateTime",
- "eq"
- ]
- ],
- "whereObject": "activeAssignment.users",
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "activeAssignment.users.userPrincipalName": "User Principal Name",
- "activeAssignment.users.startDateTime": "Start Date",
- "activeAssignment.users.userType": "User Type",
- "displayName": "Role Name"
- },
- "expandObject": "activeAssignment.users"
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
- "activeAssignment.users.userPrincipalName": "userPrincipalName",
- "activeAssignment.users.userType": "userType",
- "activeAssignment.users.id": "Id",
- "displayName": "Role Name"
- },
- "expandObject": "activeAssignment.users"
- },
- "status": {
- "keyName": [
- "userPrincipalName"
- ],
- "message": "The {userPrincipalName} user account is configured as a permanent role",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "id",
- "resourceType": "user"
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_pim_permanent_high_level_users",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-all_users_disabled.json b/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-all_users_disabled.json
deleted file mode 100644
index 61d47ae8..00000000
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-all_users_disabled.json
+++ /dev/null
@@ -1,179 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Identity Protection",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure Microsoft Entra ID Identity Protection sign-in risk policy is configured for all users",
- "description": "Microsoft Entra ID Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.",
- "rationale": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
- "impact": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn\u0027t registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
- "remediation": {
- "text": "###### From Microsoft Entra ID Portal\r\n\t\t\t\t\t1. Log in to \u003ca href=\u0027https://aad.portal.azure.com\u0027 target=\u0027_blank\u0027\u003ehttps://aad.portal.azure.com\u003c/a\u003e as a Global Administrator.\r\n\t\t\t\t\t2. Select `Security`.\r\n\t\t\t\t\t3. Select `Identity Protection`.\r\n\t\t\t\t\t4. Select `Sign-in risk policy`.\r\n\t\t\t\t\t5. Set the following conditions within the policy.\r\n\t\t\t\t\t\t* Under Users or workload identities choose `All users`\r\n\t\t\t\t\t\t* Under `Sign-in risk` set the appropriate level.\r\n\t\t\t\t\t\t* Under `Access` select `Allow access` then in the right pane select `Require multi-factor authentication`.\r\n\t\t\t\t\t6. Click `Done`\r\n\t\t\t\t\t7. In `Enforce Policy` set `On`.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.1.8"
- ],
- "rule": {
- "path": "aad_domain_policies",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "displayName",
- "eq",
- "Sign-In Risk Policy"
- ]
- ]
- },
- {
- "conditions": [
- [
- "policyDetail.AuthenticationPolicies.AccessPolicy.Mode",
- "eq",
- "enabled"
- ],
- [
- "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.Mode",
- "eq",
- "enabled"
- ]
- ],
- "operator": "or"
- },
- {
- "conditions": [
- [
- "policyDetail.AuthenticationPolicies.AccessPolicy.IncludeConditions.Groups",
- "ne"
- ],
- [
- "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.IncludeConditions.Groups",
- "ne"
- ]
- ],
- "operator": "or"
- }
- ]
- },
- {
- "connectOperator": "and",
- "operator": "or",
- "filter": [
- {
- "conditions": [
- [
- "policyDetail.AuthenticationPolicies.AccessPolicy.IncludeConditions.Groups",
- "ne"
- ],
- [
- "policyDetail.AuthenticationPolicies.AccessPolicy.IncludeConditions.Groups",
- "contains",
- "all_users"
- ]
- ],
- "operator": "and"
- },
- {
- "conditions": [
- [
- "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.IncludeConditions.Groups",
- "ne"
- ],
- [
- "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.IncludeConditions.Groups",
- "contains",
- "all_users"
- ]
- ],
- "operator": "and"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": "true"
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Entra Id sign-in risk policy is not configured for all users",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "objectId",
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_signIn_Policy_all_users_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-disabled.json b/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-disabled.json
deleted file mode 100644
index e5904d4b..00000000
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-sign-in-policy-disabled.json
+++ /dev/null
@@ -1,119 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Identity Protection",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure Microsoft Entra ID Identity Protection sign-in risk policy is enabled",
- "description": "Microsoft Entra ID Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.",
- "rationale": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
- "impact": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn\u0027t registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
- "remediation": {
- "text": "###### From Microsoft Entra ID Portal\r\n\t\t\t\t\t1. Log in to \u003ca href=\u0027https://aad.portal.azure.com\u0027 target=\u0027_blank\u0027\u003ehttps://aad.portal.azure.com\u003c/a\u003e as a Global Administrator.\r\n\t\t\t\t\t2. Select `Security`.\r\n\t\t\t\t\t3. Select `Identity Protection`.\r\n\t\t\t\t\t4. Select `Sign-in risk policy`.\r\n\t\t\t\t\t5. Set the following conditions within the policy.\r\n\t\t\t\t\t\t* Under Users or workload identities choose `All users`\r\n\t\t\t\t\t\t* Under `Sign-in risk` set the appropriate level.\r\n\t\t\t\t\t\t* Under `Access` select `Allow access` then in the right pane select `Require multi-factor authentication`.\r\n\t\t\t\t\t6. Click `Done`\r\n\t\t\t\t\t7. In `Enforce Policy` set `On`.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.1.8"
- ],
- "rule": {
- "path": "aad_domain_policies",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "displayName",
- "eq",
- "Sign-In Risk Policy"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": {
- "PolicyName": "Sign-In risk policy",
- "Status": "DoesNotExists"
- },
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Entra Id sign-in risk policy is not enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "objectId",
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_signIn_Policy_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-all_users_disabled.json b/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-all_users_disabled.json
deleted file mode 100644
index bd5ad3b5..00000000
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-all_users_disabled.json
+++ /dev/null
@@ -1,147 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Identity Protection",
- "serviceName": "Azure AD",
- "displayName": "Ensure Azure AD Identity Protection user risk policy is configured for all users",
- "description": "Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.",
- "rationale": "With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.",
- "impact": "When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven\u0027t registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.",
- "remediation": {
- "text": "###### From Microsoft Entra ID Portal\r\n\t\t\t\t\t1. Log in to \u003ca href=\u0027https://aad.portal.azure.com\u0027 target=\u0027_blank\u0027\u003ehttps://aad.portal.azure.com\u003c/a\u003e as a Global Administrator.\r\n\t\t\t\t\t2. Select `Security`.\r\n\t\t\t\t\t3. Select `Identity Protection`.\r\n\t\t\t\t\t4. Select `User risk policy`.\r\n\t\t\t\t\t5. Set the following conditions within the policy.\r\n\t\t\t\t\t\t* Under Users or workload identities choose `All users`\r\n\t\t\t\t\t\t* Under `User risk` set the appropriate level.\r\n\t\t\t\t\t\t* Under `Access` select `Allow access` then in the right pane select `Require password change`.\r\n\t\t\t\t\t6. Click `Done`\r\n\t\t\t\t\t7. In `Enforce Policy` set `On`.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.1.8"
- ],
- "rule": {
- "path": "aad_domain_policies",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "operator": "and",
- "filter": [
- {
- "conditions": [
- [
- "displayName",
- "eq",
- "User Risk and MFA Registration Policy"
- ],
- [
- "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.Mode",
- "eq",
- "enabled"
- ]
- ],
- "operator": "and"
- },
- {
- "conditions": [
- [
- "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.requiredActions",
- "eq",
- "mfa_pwd_change"
- ],
- [
- "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.requiredActions",
- "eq",
- "block"
- ]
- ],
- "operator": "or"
- },
- {
- "conditions": [
- [
- "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.IncludeConditions.Groups",
- "notcontains",
- "all_users"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": "true"
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Entra Id user risk policy is not configured for all users",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": "displayName",
- "resourceId": "objectId",
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_user_risk_policy_all_users_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-disabled.json b/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-disabled.json
deleted file mode 100644
index 34429de0..00000000
--- a/rules/findings/EntraId/Policy/CIS1.4/aad-user-risk-policy-disabled.json
+++ /dev/null
@@ -1,119 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Identity Protection",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure Microsoft Entra ID Identity Protection user risk policy is enabled",
- "description": "Microsoft Entra ID Identity Protection user risk policies detect the probability that a user account has been compromised.",
- "rationale": "With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.",
- "impact": "When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven\u0027t registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.",
- "remediation": {
- "text": "###### From Microsoft Entra ID Portal\r\n\t\t\t\t\t1. Log in to \u003ca href=\u0027https://aad.portal.azure.com\u0027 target=\u0027_blank\u0027\u003ehttps://aad.portal.azure.com\u003c/a\u003e as a Global Administrator.\r\n\t\t\t\t\t2. Select `Security`.\r\n\t\t\t\t\t3. Select `Identity Protection`.\r\n\t\t\t\t\t4. Select `User risk policy`.\r\n\t\t\t\t\t5. Set the following conditions within the policy.\r\n\t\t\t\t\t\t* Under Users or workload identities choose `All users`\r\n\t\t\t\t\t\t* Under `User risk` set the appropriate level.\r\n\t\t\t\t\t\t* Under `Access` select `Allow access` then in the right pane select `Require password change`.\r\n\t\t\t\t\t6. Click `Done`\r\n\t\t\t\t\t7. In `Enforce Policy` set `On`.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.1.8"
- ],
- "rule": {
- "path": "aad_domain_policies",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "displayName",
- "eq",
- "User Risk and MFA Registration Policy"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": {
- "PolicyName": "User Risk and MFA Registration Policy",
- "Status": "DoesNotExists"
- },
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Entra Id user risk policy is not enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_user_risk_policy_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/SSPR/CIS1.4/aad-sspr-disabled.json b/rules/findings/EntraId/SSPR/CIS1.4/aad-sspr-disabled.json
deleted file mode 100644
index a6076cdd..00000000
--- a/rules/findings/EntraId/SSPR/CIS1.4/aad-sspr-disabled.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "Identity Protection",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Enable Self-Service Password reset to allow users to reset their own passwords in Azure AD",
- "description": "Enabling self-service password reset allows users to reset their own passwords in Microsoft Entra ID. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default.",
- "rationale": "Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.",
- "impact": "The impact associated with this setting is that users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. As of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication.",
- "remediation": {
- "text": null,
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.4"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.1.4"
- ],
- "rule": {
- "path": "aad_password_reset_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "enablementType",
- "eq",
- "0"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "enablementType": "Enablement Type",
- "emailOptionEnabled": "Email",
- "mobilePhoneOptionEnabled": "Mobile Phone",
- "officePhoneOptionEnabled": "Office Phone",
- "securityQuestionsOptionEnabled": "Security questions",
- "mobileAppNotificationEnabled": "Mobile app notification",
- "mobileAppCodeEnabled": "Mobile app code"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "SSPR is not enabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_sspr_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-add-gallery-apps.json b/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-add-gallery-apps.json
deleted file mode 100644
index c08ebd92..00000000
--- a/rules/findings/EntraId/Users/CIS1.4/azure-activedirectory-users-can-add-gallery-apps.json
+++ /dev/null
@@ -1,121 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "EntraID",
- "serviceType": "General",
- "serviceName": "Microsoft Entra ID",
- "displayName": "Ensure that \u0027Users can add gallery apps to their Access Panel\u0027 is set to \u0027No\u0027",
- "description": "Consider to prevent users from registering Gallery applications.",
- "rationale": "Unless Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
- "impact": "It might be an additional request that administrators need to fulfill quite often.",
- "remediation": {
- "text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t\t4. Click on `Manage how end users launch and view their applications`\r\n\t\t\t\t\t\t4. Set `Users can add gallery apps to their Access Panel` to `No`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
- "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/",
- "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
- "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
- "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.1.0",
- "reference": "1.10"
- }
- ],
- "level": "medium",
- "tags": [
-
- ],
- "rule": {
- "path": "aad_managed_app_user_settings",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "usersCanAddGalleryApps",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "usersCanAllowAppsToAccessData": "Users can allow apps to access data",
- "usersCanAddGalleryApps": "Users can add gallery apps"
- },
- "expandObject": null
- },
- "table": "asList",
- "decorate": [
-
- ],
- "emphasis": [
- "Users can add gallery apps"
- ],
- "actions": {
- "objectData": {
- "expand": null,
- "limit": null
- },
- "showGoToButton": null,
- "showModalButton": null
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Users can add gallery apps to their Access Panel",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "aad_require_admins_gallery_apps",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-default-safe-links-policy-disabled.json b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-default-safe-links-policy-disabled.json
similarity index 97%
rename from rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-default-safe-links-policy-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-default-safe-links-policy-disabled.json
index a368c0d6..5335f9bb 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-default-safe-links-policy-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-default-safe-links-policy-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -111,13 +111,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -150,3 +152,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-for-sharepoint-onedrive-and-teams-disabled.json b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-for-sharepoint-onedrive-and-teams-disabled.json
new file mode 100644
index 00000000..1636513a
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-for-sharepoint-onedrive-and-teams-disabled.json
@@ -0,0 +1,103 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled",
+ "description": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.",
+ "rationale": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protect organizations from inadvertently sharing malicious files. When a malicious file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.",
+ "impact": "Impact associated with Safe Attachments is minimal, and equivalent to impact associated with anti-virus scanners in an environment.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.5",
+ "profile": "E5 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_safe_attachment_policy_office_apps_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-attachments-policy-disabled.json b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-policy-disabled.json
similarity index 68%
rename from rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-attachments-policy-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-policy-disabled.json
index fae6edd4..721871f3 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-attachments-policy-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-attachments-policy-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure the Advanced Threat Protection Safe Attachments policy is enabled",
- "description": "Enabling the Advanced Threat Protection Safe Attachments policy extends malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent.",
- "rationale": "This policy increases the likelihood of identifying and stopping previously unknown malware.",
+ "displayName": "Ensure Safe Attachments policy is enabled",
+ "description": "The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not.",
+ "rationale": "Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.",
"impact": "Delivery of email with attachments may be delayed while scanning is occurring.",
"remediation": {
"text": "###### To enable the ATP Safe Attachments policy, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Click `Security` to open the `Security portal`.\r\n\t\t\t\t\t2. Navigate to `Threat management`, then `Policy`, and select `Safe Attachments`.\r\n\t\t\t\t\t3. Click `+`.\r\n\t\t\t\t\t4. Enter Policy Name and Description followed by the Users, Groups, or Domains it will \r\n\t\t\t\t\tapply to.\r\n\t\t\t\t\t5. Select `Block`, `Monitor`, `Replace` or `Dynamic Delivery` based on your organizational policies.\r\n\t\t\t\t\t6. Select `Next`.\r\n\t\t\t\t\t7. Select `Submit` followed by `Done`.",
@@ -24,14 +24,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.4"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.4",
+ "profile": "E5 Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 4.8"
],
"rule": {
"path": "o365_exo_safe_attachment_policy",
@@ -77,13 +77,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -97,7 +99,7 @@
"keyName": [
],
- "message": "Check if ATP Safe Attachments policy is enabled",
+ "message": "Check if Safe Attachments policy is enabled",
"defaultMessage": null
},
"properties": {
@@ -108,7 +110,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_safe_attachment_policy_disabled",
+ "idSuffix": "m365_exo_safe_attachment_policy_disabled",
"notes": [
],
@@ -116,3 +118,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-links-office-disabled.json b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office-disabled.json
similarity index 87%
rename from rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-links-office-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office-disabled.json
index 21502a97..194089b5 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS1.4/exchange-atp-safe-links-office-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office-disabled.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure O365 ATP SafeLinks for Office Applications is Enabled",
+ "displayName": "Ensure Safe Links for Office Applications is Enabled",
"description": "Enabling the Advanced Threat Protection (ATP) Safe Links policy for Office applications allows URL\u0027s that existing inside of Office documents opened by Office, Office Online and Office mobile to be processed against ATP time-of-click verification.",
- "rationale": "ATP Safe Links for Office applications extends phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+ "rationale": "Safe Links for Office applications extends phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
"impact": "User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site.",
"remediation": {
"text": "###### To enable the ATP Safe Links policy for Office, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Select `Admin Center` and Click to expand `Security`.\r\n\t\t\t\t\t2. Navigate to `Threat management` and select `Policy`.\r\n\t\t\t\t\t3. Select `Safe Links` followed by `Global Settings`.\r\n\t\t\t\t\t4. Select `Use Safe Links in Office 365 apps and Do not let users click through to the original URL in Office 365 apps`.\r\n\t\t\t\t\t5. Click `Save`.\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To enable the ATP Safe Links policy for Office 365, use the Exchange Online PowerShell Module\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tSet-AtpPolicyForO365 -AllowClickThrough $False -EnableSafeLinksForClients $true\r\n\t\t\t\t\t```",
@@ -24,14 +24,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.3"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.1",
+ "profile": "E5 Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 2.3"
],
"rule": {
"path": "o365_exo_atp_policy",
@@ -95,13 +95,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -126,7 +128,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_safe_links_office_disabled",
+ "idSuffix": "m365_exo_safe_links_office_disabled",
"notes": [
],
@@ -134,3 +136,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS2.0/exchange-atp-safe-links-office365-apps-disabled.json b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office365-apps-disabled.json
similarity index 96%
rename from rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS2.0/exchange-atp-safe-links-office365-apps-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office365-apps-disabled.json
index e8d67a83..2b75dad5 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Advanced Threat Protection/CIS2.0/exchange-atp-safe-links-office365-apps-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Advanced Threat Protection/CIS3.1/exchange-atp-safe-links-office365-apps-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -71,13 +71,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -110,3 +112,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Anti Spam Protection/CIS1.4/exchange-outbound-spam-disabled.json b/rules/findings/Microsoft365/Exchange Online/Anti Spam Protection/CIS3.1/exchange-spam-policies-notify-admin-disabled.json
similarity index 83%
rename from rules/findings/Microsoft365/ExchangeOnline/Anti Spam Protection/CIS1.4/exchange-outbound-spam-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Anti Spam Protection/CIS3.1/exchange-spam-policies-notify-admin-disabled.json
index d506507d..1046f3c9 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Anti Spam Protection/CIS1.4/exchange-outbound-spam-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Anti Spam Protection/CIS3.1/exchange-spam-policies-notify-admin-disabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure Exchange Online Spam Policies are set correctly",
- "description": "Organisations should set Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.",
+ "displayName": "Ensure Exchange Online Spam Policies are set to notify administrators",
+ "description": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.",
"rationale": "A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.",
"impact": "Notification of users that have been blocked should not cause an impact to the user.",
"remediation": {
@@ -24,14 +24,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "4.2"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.6",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 4.2"
],
"rule": {
"path": "o365_exo_hosted_spam_policy",
@@ -93,13 +93,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -124,7 +126,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_outbound_spam_notification_disabled",
+ "idSuffix": "m365_exo_outbound_spam_notification_disabled",
"notes": [
],
@@ -132,3 +134,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-dkim-disabled-for-domain.json b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-dkim-disabled-for-domain.json
new file mode 100644
index 00000000..d7d0acff
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-dkim-disabled-for-domain.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure that DKIM is enabled for all Exchange Online Domains",
+ "description": "DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate. Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.",
+ "rationale": "By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed. ",
+ "impact": "There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.9",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure that DKIM is enabled for all Exchange Online Domains",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_lack_dkim_in_domain",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-missing-dmarc-records.json b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-missing-dmarc-records.json
new file mode 100644
index 00000000..e5f9b3c1
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-missing-dmarc-records.json
@@ -0,0 +1,108 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure DMARC Records for all Exchange Online domains are published",
+ "description": "DMARC, or Domain-based Message Authentication, Reporting, and Conformance, assists recipient mail systems in determining the appropriate action to take when messages from a domain fail to meet SPF or DKIM authentication criteria.",
+ "rationale": "DMARC strengthens the trustworthiness of messages sent from an organization's domain to destination email systems. By integrating DMARC with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), organizations can significantly enhance their defenses against email spoofing and phishing attempts.",
+ "impact": "There should be no impact of setting up DMARC however, organizations should ensure appropriate setup to ensure continuous mail-flow.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.10",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure that DMARC is enabled for all Exchange Online Domains",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_lack_dmarc_in_domain",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-spf-records-are-published-for-all-exchange-domains.json b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-spf-records-are-published-for-all-exchange-domains.json
new file mode 100644
index 00000000..77c59603
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/DNS/CIS3.1/exchange-spf-records-are-published-for-all-exchange-domains.json
@@ -0,0 +1,107 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure that SPF records are published for all Exchange Domains",
+ "description": "For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created.",
+ "rationale": "SPF records allow Exchange Online Protection and other mail systems to know where messages from domains are allowed to originate. This information can be used by that system to determine how to treat the message based on if it is being spoofed or is valid.",
+ "impact": "There should be minimal impact of setting up SPF records however, organizations should ensure proper SPF record setup as email could be flagged as spam if SPF is not setup appropriately.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/defender-office-365/email-authentication-spf-configure?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.8",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure that SPF records are published for all Exchange Domains",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_lack_spf_domain",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Defender/CIS3.1/exchange-defender-for-cloud-apps-not-enabled.json b/rules/findings/Microsoft365/Exchange Online/Defender/CIS3.1/exchange-defender-for-cloud-apps-not-enabled.json
new file mode 100644
index 00000000..eb48cd90
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Defender/CIS3.1/exchange-defender-for-cloud-apps-not-enabled.json
@@ -0,0 +1,128 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure Microsoft Defender for Cloud Apps is enabled and configured",
+ "description": "
+ Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides visibility into suspicious activity in Microsoft 365, enabling investigation into potential security issues and facilitating the implementation of remediation measures if necessary. Some risk detection methods provided by Entra Identity Protection also require Microsoft Defender for Cloud Apps:
+
+ * Suspicious manipulation of inbox rules
+ * Suspicious inbox forwarding
+ * New country detection
+ * Impossible travel detection
+ * Activity from anonymous IP addresses
+ * Mass access to sensitive files
+ ",
+ "rationale": "Security teams can receive notifications of triggered alerts for atypical or suspicious activities, see how the organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back in to Microsoft 365 apps after an alert has been triggered.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### Configure Information Protection and Cloud Discovery:
+ 1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
+ 2. Select Settings > Cloud apps.
+ 3. Scroll to Information Protection and select Files.
+ 4. Check Enable file monitoring.
+ 5. Scroll up to Cloud Discovery and select Microsoft Defender for Endpoint.
+ 6. Check Enforce app access, configure a Notification URL and Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/connect-office-365",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/connect-azure",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/best-practices",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started",
+ "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.4.3",
+ "profile": "E5 Level 2"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Microsoft Defender for Cloud Apps is enabled and configured",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_defender_cloud_apps_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-anti-phishing-policy-disabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-anti-phishing-policy-disabled.json
similarity index 92%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-anti-phishing-policy-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-anti-phishing-policy-disabled.json
index 12447696..8e40e48a 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-anti-phishing-policy-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-anti-phishing-policy-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -25,9 +25,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "4.10"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.7",
+ "profile": "E5 Level 1"
}
],
"level": "medium",
@@ -82,13 +83,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -113,7 +116,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_anti_phishing_policy_disabled",
+ "idSuffix": "m365_exo_anti_phishing_policy_disabled",
"notes": [
],
@@ -121,3 +124,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-audit-enabled-globally.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-audit-enabled-globally.json
new file mode 100644
index 00000000..3f8cc8e9
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-audit-enabled-globally.json
@@ -0,0 +1,129 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'AuditDisabled' organizationally is set to 'False'",
+ "description": "
+ The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the AuditEnabled property on the mailbox is False), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization. Turning off mailbox auditing on by default ($true) has the following results:
+
+ * Mailbox auditing is turned off for your organization.
+ * From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).
+ * Mailbox auditing isn't turned on for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True is ignored.
+ * Any mailbox audit bypass association settings (configured by using the Set MailboxAuditBypassAssociation cmdlet) are ignored.
+ * Existing mailbox audit records are retained until the audit log age limit for the record expires.
+
+ The recommended state for this setting is False at the organization level. This will enable auditing and enforce the default.
+ ",
+ "rationale": "
+ Enforcing the default ensures auditing was not turned off intentionally or accidentally. Auditing mailbox actions will allow forensics and IR teams to trace various malicious activities that can generate TTPs caused by inbox access and tampering.
+ **NOTE** : Without advanced auditing (E5 function) the logs are limited to 90 days.
+ ",
+ "impact": "None - this is the default behavior as of 2019.",
+ "remediation": {
+ "text": "
+ ###### Enable mailbox auditing at the organizational level:
+ 1. Connect to Exchange Online using Connect-ExchangeOnline.
+ 2. Run the following PowerShell command:
+
+ ```PowerShell
+ Set-OrganizationConfig -AuditDisabled $false
+ ```
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.1.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'AuditDisabled' organizationally is set to 'False'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_audit_enabled_globally",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-calendar-sharing-external-user-enabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-calendar-sharing-external-user-enabled.json
similarity index 85%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-calendar-sharing-external-user-enabled.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-calendar-sharing-external-user-enabled.json
index 95bcfd71..c82bf55e 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-calendar-sharing-external-user-enabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-calendar-sharing-external-user-enabled.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure calendar details sharing with external users is disabled",
- "description": "Consider to not allow your users to share the full details of their calendars with external users.",
+ "displayName": "Ensure 'External sharing' of calendars is not available",
+ "description": "External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar.",
"rationale": "Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.",
"impact": "This functionality is not widely used. As a result, it is unlikely that implementation of this setting will cause an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant.",
"remediation": {
@@ -25,13 +25,13 @@
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "2.2"
+ "version": "3.1.0",
+ "reference": "1.3.3",
+ "profile": "E3 Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 2.2"
],
"rule": {
"path": "o365_exo_sharing_policy",
@@ -78,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -109,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_calendar_sharing_external_enabled",
+ "idSuffix": "m365_exo_calendar_sharing_external_enabled",
"notes": [
],
@@ -117,3 +119,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-customer-lockout-feature-enabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-customer-lockout-feature-enabled.json
similarity index 92%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-customer-lockout-feature-enabled.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-customer-lockout-feature-enabled.json
index 9a231cbf..7b7a3182 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-customer-lockout-feature-enabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-customer-lockout-feature-enabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -24,9 +24,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "3.1"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "1.3.6",
+ "profile": "E5 Level 2"
}
],
"level": "medium",
@@ -77,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -108,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_customer_lockout_disabled",
+ "idSuffix": "m365_exo_customer_lockout_disabled",
"notes": [
],
@@ -116,3 +119,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-mailtips-disabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-mailtips-disabled.json
similarity index 80%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-mailtips-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-mailtips-disabled.json
index 1f32a4b8..23ccfcb2 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-mailtips-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-mailtips-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,7 @@
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
"displayName": "Ensure MailTips are enabled for end users",
- "description": "Consider to enable MailTips, which is designed to assist end users with identifying strange patterns to emails they send.",
+ "description": "MailTips are informative messages displayed to users while they're composing a message. While a new message is open and being composed, Exchange analyzes the message (including recipients). If a potential problem is detected, the user is notified with a MailTip prior to sending the message. Using the information in the MailTip, the user can adjust the message to avoid undesirable situations or non-delivery reports (also known as NDRs or bounce messages).",
"rationale": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.",
"impact": "",
"remediation": {
@@ -24,9 +24,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "4.15"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.5.2",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -95,13 +96,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -126,7 +129,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_mailtips_disabled",
+ "idSuffix": "m365_exo_mailtips_disabled",
"notes": [
],
@@ -134,3 +137,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-modern-authentication-disabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-modern-authentication-disabled.json
similarity index 92%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-modern-authentication-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-modern-authentication-disabled.json
index 5b929a9b..99d0f039 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-modern-authentication-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-modern-authentication-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -24,9 +24,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "1.2"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.5.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -77,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -108,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_modern_auth_disabled",
+ "idSuffix": "m365_exo_modern_auth_disabled",
"notes": [
],
@@ -116,3 +119,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-owa-external-storage-allowed.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-owa-external-storage-allowed.json
similarity index 84%
rename from rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-owa-external-storage-allowed.json
rename to rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-owa-external-storage-allowed.json
index b8ec46ee..112c38f0 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-owa-external-storage-allowed.json
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-owa-external-storage-allowed.json
@@ -1,12 +1,12 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure external storage providers available in Outlook on the Web are restricted",
- "description": "Consider to restrict storage providers that are integrated with Outlook on the Web.",
+ "displayName": "Ensure additional storage providers are restricted in Outlook on the web",
+ "description": "This setting allows users to open certain external files while working in Outlook on the web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy policies of those third-party services.",
"rationale": "By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.",
"impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
"remediation": {
@@ -24,14 +24,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "6.4"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.5.3",
+ "profile": "E3 Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 6.4"
],
"rule": {
"path": "o365_exo_owa_mbox_policy",
@@ -78,13 +78,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -109,7 +111,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_owa_additional_storage_allowed",
+ "idSuffix": "m365_exo_owa_additional_storage_allowed",
"notes": [
],
@@ -117,3 +119,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-account-protection-not-enabled.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-account-protection-not-enabled.json
new file mode 100644
index 00000000..5523b39c
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-account-protection-not-enabled.json
@@ -0,0 +1,115 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure Priority account protection is enabled and configured",
+ "description": "
+ Identify priority accounts to utilize Microsoft 365's advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information.
+ Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams.
+ ",
+ "rationale": "
+ Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.
+ To address this, Microsoft 365 and Microsoft Defender for Office 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them.
+ ",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/setup/priority-accounts",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.4.1",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Priority account protection is enabled and configured",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_priority_account_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-accounts-lacks-strict-protection.json b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-accounts-lacks-strict-protection.json
new file mode 100644
index 00000000..009f20a7
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/General/CIS3.1/exchange-priority-accounts-lacks-strict-protection.json
@@ -0,0 +1,121 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure Priority accounts have 'Strict protection' presets applied",
+ "description": "
+ Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable. Strict protection has the most aggressive protection of the 3 presets.
+
+ * EOP: Anti-spam, Anti-malware and Anti-phishing
+ * Defender: Spoof protection, Impersonation protection and Advanced phishing
+ * Defender: Safe Links and Safe Attachments
+
+ *NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.*
+ ",
+ "rationale": "
+ Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.
+ The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox.
+ ",
+ "impact": "Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses.",
+ "remediation": {
+ "text": "
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.4.2",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Priority accounts have 'Strict protection' presets applied",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_priority_account_strict_protection_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/IAM/CIS3.1/exchange-users-installing-outlook-add-ins-allowed.json b/rules/findings/Microsoft365/Exchange Online/IAM/CIS3.1/exchange-users-installing-outlook-add-ins-allowed.json
new file mode 100644
index 00000000..e68a88ab
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/IAM/CIS3.1/exchange-users-installing-outlook-add-ins-allowed.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure users installing Outlook add-ins is not allowed",
+ "description": "Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.",
+ "rationale": "Attackers exploit vulnerable or custom add-ins to access user data. Disabling user-installed add-ins in Microsoft Outlook reduces this threat surface.",
+ "impact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
+ 2. Click to expand Roles select User roles.
+ 3. Select Default Role Assignment Policy.
+ 4. In the properties pane on the right click on Manage permissions.
+ 5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
+ 6. Click Save changes.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins?source=recommendations",
+ "https://learn.microsoft.com/en-us/exchange/permissions-exo/role-assignment-policies"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.3.1",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure users installing Outlook add-ins is not allowed",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_users_allowed_to_install_outlook_addIns",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/exo-sign-in-shared-mailbox-enabled.json b/rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/exo-sign-in-shared-mailbox-enabled.json
new file mode 100644
index 00000000..42a05545
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/exo-sign-in-shared-mailbox-enabled.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "EntraID",
+ "serviceType": "Users",
+ "serviceName": "Microsoft Entra ID",
+ "displayName": "Ensure sign-in to shared mailboxes is blocked",
+ "description": "
+ Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.
+ Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from `Contoso Support` or `Building A Reception Desk`.
+ Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation. The recommended state is Sign in blocked for Shared mailboxes.
+ ",
+ "rationale": "The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox.",
+ "impact": null,
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account",
+ "https://learn.microsoft.com/en-us/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide#block-individual-user-accounts"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.1.0",
+ "reference": "1.2.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": "true"
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "False",
+ "showModalButton": "False",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Guest Users are reviewed at least biweekly",
+ "defaultMessage": "Ensure Guest Users are reviewed at least biweekly"
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": true
+ }
+ },
+ "idSuffix": "eid_lack_emergency_account",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Admin/CIS2.0/third-party-storage-allowed-microsoft365.json b/rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/third-party-storage-allowed-microsoft365.json
similarity index 88%
rename from rules/findings/Microsoft365/Admin/CIS2.0/third-party-storage-allowed-microsoft365.json
rename to rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/third-party-storage-allowed-microsoft365.json
index c36e5112..05e5ea7a 100644
--- a/rules/findings/Microsoft365/Admin/CIS2.0/third-party-storage-allowed-microsoft365.json
+++ b/rules/findings/Microsoft365/Exchange Online/MailBoxes/CIS3.1/third-party-storage-allowed-microsoft365.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Microsoft 365 Admin",
"serviceName": "Microsoft 365",
- "displayName": "Ensure \u0027third-party storage services\u0027 are restricted in \u0027Microsoft 365 on the web\u0027",
+ "displayName": "Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'",
"description": "Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites.\r\n\t\t\t\t Ensure `Microsoft 365 on the web` third-party storage services are restricted.",
"rationale": "By using external storage services an organization may increases the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security.",
"impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
@@ -24,14 +24,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "6.4"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "1.3.7",
+ "profile": "E3 Level 2"
}
],
"level": "low",
"tags": [
- "Microsoft 365 CIS benchmark 2.0 reference 6.4"
],
"rule": {
"path": "o365_exo_owa_mbox_policy",
@@ -75,13 +75,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -106,7 +108,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_admin_thirdparty_storage_allowed",
+ "idSuffix": "m365_admin_thirdparty_storage_allowed",
"notes": [
],
@@ -114,3 +116,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-external-email-sender-configured.json b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-external-email-sender-configured.json
new file mode 100644
index 00000000..c4516065
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-external-email-sender-configured.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure email from external senders is identified",
+ "description": "
+ External callouts provide a native experience to identify emails from senders outside the organization. This is achieved by presenting a new tag on emails called `External` (the string is localized based on the client language setting) and exposing related user interface at the top of the message reading view to see and verify the real sender's email address.
+ Once this feature is enabled via PowerShell, it might take 24-48 hours for users to start seeing the External sender tag in email messages received from external sources (outside of your organization), providing their Outlook version supports it. The recommended state is ExternalInOutlook set to Enabled True
+ ",
+ "rationale": "Tagging emails from external senders helps to inform end users about the origin of the email. This can allow them to proceed with more caution and make informed decisions when it comes to identifying spam or phishing emails. Note: Existing emails in a user's inbox from external senders are not tagged retroactively.",
+ "impact": "Mail flow rules using external tagging will need to be disabled before enabling this to avoid duplicate `External` tags.",
+ "remediation": {
+ "text": "
+ ###### To enable external tagging using PowerShell:
+ 1. Connect to Exchange online using Connect-ExchangeOnline.
+ 2. Run the following PowerShell command:
+ ```PowerShell
+ Set-ExternalInOutlook -Enabled $true
+ ```
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.2.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure email from external senders is identified",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_external_sender_identifier_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-mail-forwarding-blocked-and-disabled.json b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-mail-forwarding-blocked-and-disabled.json
new file mode 100644
index 00000000..2285df36
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-mail-forwarding-blocked-and-disabled.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure all forms of mail forwarding are blocked and/or disabled",
+ "description": "
+ Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:
+ * Outlook forwarding using inbox rules.
+ * Outlook forwarding configured using OOF rule.
+ * OWA forwarding setting (ForwardingSmtpAddress).
+ * Forwarding set by the admin using EAC (ForwardingAddress).
+ * Forwarding using Power Automate / Flow.
+
+ Ensure a Transport rule and Anti-spam outbound policy are used to block mail forwarding.
+ **NOTE** : Any exclusions should be implemented based on organizational policy.
+ ",
+ "rationale": "Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as a secondary channel to exfiltrate sensitive data.",
+ "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019",
+ "https://techcommunity.microsoft.com/blog/exchange/all-you-need-to-know-about-automatic-email-forwarding-in-exchange-online/2074888",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.2.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure all forms of mail forwarding are blocked and/or disabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_mail_forwarding_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-transport-rules-domain-whitelisted.json b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-transport-rules-domain-whitelisted.json
similarity index 89%
rename from rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-transport-rules-domain-whitelisted.json
rename to rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-transport-rules-domain-whitelisted.json
index 6a51d571..eb6e157d 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-transport-rules-domain-whitelisted.json
+++ b/rules/findings/Microsoft365/Exchange Online/MailFlow/CIS3.1/exchange-transport-rules-domain-whitelisted.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,7 @@
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
"displayName": "Ensure mail transport rules do not whitelist specific domains",
- "description": "Consider to set Exchange Online mail transport rules so they do not whitelist any specific domains.",
+ "description": "Mail flow rules (transport rules) in Exchange Online are used to identify and take action on messages that flow through the organization.",
"rationale": "Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.",
"impact": "Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.",
"remediation": {
@@ -25,14 +25,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "4.5"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.2.2",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 4.5"
],
"rule": {
"path": "o365_exo_transport_rules",
@@ -102,13 +102,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -133,7 +135,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_transport_rules_domain_whitelisted",
+ "idSuffix": "m365_exo_transport_rules_domain_whitelisted",
"notes": [
],
@@ -141,3 +143,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-common-attachment-type-filter-enabled.json b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-common-attachment-type-filter-enabled.json
similarity index 92%
rename from rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-common-attachment-type-filter-enabled.json
rename to rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-common-attachment-type-filter-enabled.json
index 6adf290d..fd2ba9e5 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-common-attachment-type-filter-enabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-common-attachment-type-filter-enabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -26,9 +26,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "4.1"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.2",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -96,13 +97,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -127,7 +130,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_attachment_type_filter_disabled",
+ "idSuffix": "m365_exo_attachment_type_filter_disabled",
"notes": [
],
@@ -135,3 +138,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-lack-of-comprehensive-attachment-filtering.json b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-lack-of-comprehensive-attachment-filtering.json
new file mode 100644
index 00000000..016d8256
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-lack-of-comprehensive-attachment-filtering.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure comprehensive attachment filtering is applied",
+ "description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined. The list of 187 extensions provided in this recommendation is comprehensive but not exhaustive.",
+ "rationale": "
+ Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction.
+ Defining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others.
+ ",
+ "impact": "For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.14",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "low",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure comprehensive attachment filtering is applied",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_lack_attachment_filtering",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-anti-malware-admin-notification-disabled.json b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-notifications-for-internal-users-sending-malware-disabled.json
similarity index 91%
rename from rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-anti-malware-admin-notification-disabled.json
rename to rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-notifications-for-internal-users-sending-malware-disabled.json
index a7b15704..a1813f64 100644
--- a/rules/findings/Microsoft365/ExchangeOnline/Malware Protection/CIS1.4/exchange-anti-malware-admin-notification-disabled.json
+++ b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-notifications-for-internal-users-sending-malware-disabled.json
@@ -1,11 +1,11 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "Exchange Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure notifications for internal users sending malware is Enabled For Administrators",
+ "displayName": "Ensure notifications for internal users sending malware is Enabled",
"description": "Consider to setup the Exchange Online Protection malware filter to notify administrators if internal senders are blocked for sending malware.",
"rationale": "This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated.",
"impact": "Notification of account with potential issues should not cause an impact to the user.",
@@ -24,9 +24,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "4.11"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.3",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -94,13 +95,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -114,7 +117,7 @@
"keyName": [
],
- "message": "Ensure notifications for internal users sending malware is Enabled For Administrators",
+ "message": "Ensure notifications for internal users sending malware is Enabled",
"defaultMessage": null
},
"properties": {
@@ -125,7 +128,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_anti_malware_admin_notification_disabled",
+ "idSuffix": "m365_exo_anti_malware_admin_notification_disabled",
"notes": [
],
@@ -133,3 +136,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-zap-for-teams-disabled.json b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-zap-for-teams-disabled.json
new file mode 100644
index 00000000..92f421f0
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Malware Protection/CIS3.1/exchange-zap-for-teams-disabled.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure Zero-hour auto purge for Microsoft Teams is on",
+ "description": "Zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malware and high confidence phishing. When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.",
+ "rationale": "ZAP is intended to protect users that have received zero-day malware messages or content that is weaponized after being delivered to users. It does this by continually monitoring spam and malware signatures taking automated retroactive action on messages that have already been delivered.",
+ "impact": "As with any anti-malware or anti-phishing product false positives may occur.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Defender https://security.microsoft.com/
+ 2. Click Settings > Email & collaboration > Microsoft Teams protection.
+ 3. Set Zero-hour auto purge (ZAP) to On (Default)
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide#zero-hour-auto-purge-zap-in-microsoft-teams",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.4.4",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure Zero-hour auto purge for Microsoft Teams is on",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_zap_for_teams_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-account-provisioning-activity-report-is-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-account-provisioning-activity-report-is-reviewed.json
new file mode 100644
index 00000000..3d8cc6df
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-account-provisioning-activity-report-is-reviewed.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure the Account Provisioning Activity report is reviewed at least weekly",
+ "description": "The Account Provisioning Activity report details any account provisioning that was attempted by an external application.",
+ "rationale": "If the organization doesn't usually use a third-party provider to manage accounts, any entry on the list is likely illicit. Otherwise, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To review the Account Provisioning Activity report:
+ 1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
+ 2. Click on Audit.
+ 3. Set Activities to Added user for User administration activities.
+ 4. Set Start Date and End Date.
+ 5. Click Search.
+ 6. Review.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.3.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the Account Provisioning Activity report is reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_account_provisioning_activity_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-mail-forwarding-rules-are-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-mail-forwarding-rules-are-reviewed.json
new file mode 100644
index 00000000..3302e5bd
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-mail-forwarding-rules-are-reviewed.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure mail forwarding rules are reviewed at least weekly",
+ "description": "The Exchange Online environment can be configured in a way that allows for automatic forwarding of e-mail. This can be done using Transport Rules in the Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are given several methods to automatically and quickly send e-mails outside of your organization.",
+ "rationale": "Reviewing mail forwarding rules will provide the Messaging Administrator with insight into possible attempts to exfiltrate data from the organization. Weekly review helps create a recognition of baseline, legitimate activity of users. This will aid in helping identify the more malicious activity of bad actors when/if they choose to use this sidechannel.",
+ "impact": "There is no impact to reviewing these reports.",
+ "remediation": {
+ "text": "
+ ###### To review mail forwarding rules:
+ 1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
+ 2. Expand Reports then select Mail flow.
+ 3. Click on Auto forwarded messages report.
+ 4. Review.
+
+ **Note** : Mail flow reports cannot be viewed from the Classic Exchange Admin Center
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.4.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure mail forwarding rules are reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_mail_forwarding_rules_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-malware-trends-report-is-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-malware-trends-report-is-reviewed.json
new file mode 100644
index 00000000..276a0aab
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-malware-trends-report-is-reviewed.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure malware trends are reviewed at least weekly",
+ "description": "Threat explorer shows specific instances of Microsoft blocking a malware attachment from reaching users, phishing being blocked, impersonation attempts, etc. The report should be reviewed at least weekly.",
+ "rationale": "While this report isn't strictly actionable, reviewing it will give a sense of the overall volume of various security threats targeting users, which may prompt adoption of more aggressive threat mitigations.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
+ 2. Click to expand Email & collaboration select Review.
+ 3. Select Malware trends.
+ 4. On the Threat Explorer page, select each tab to review statistics.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.13",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure malware trends are reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_malware_trends_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-non-global-administrator-role-assignments-are-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-non-global-administrator-role-assignments-are-reviewed.json
new file mode 100644
index 00000000..09576faa
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-non-global-administrator-role-assignments-are-reviewed.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure the Account Provisioning Activity report is reviewed at least weekly",
+ "description": "Non-global administrator role group assignments should be reviewed at least every week.",
+ "rationale": "While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If unusual activity is detected, contact the user to confirm it is a legitimate need.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To review non-global administrator role group assignments:
+ 1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
+ 2. Click on Audit.
+ 3. Set Added member to Role and Removed a user from a directory role for Activities.
+ 4. Set Start Date and End Date.
+ 5. Click Search.
+ 6. Review.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.3.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure non-global administrator role group assignments are reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_nonglobal_admin_role_assignment_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-restricted-entities-report-is-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-restricted-entities-report-is-reviewed.json
new file mode 100644
index 00000000..34729a46
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-restricted-entities-report-is-reviewed.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure the 'Restricted entities' report is reviewed weekly",
+ "description": "Microsoft 365 Defender reviews of Restricted Entities will provide a list of user accounts restricted from sending e-mail. If a user exceeds one of the outbound sending limits as specified in the service limits or in outbound spam policies, the user is restricted from sending email, but they can still receive email.",
+ "rationale": "Users who are found on the restricted users list have a high probability of having been compromised. Review of this list will allow an organization to remediate these user accounts, and then unblock them.",
+ "impact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable.",
+ "remediation": {
+ "text": "
+ 1. Connect to Exchange Online using Connect-ExchangeOnline
+ 2. Run the following PowerShell command:
+ `Get-BlockedSenderAddress`
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-blockedsenderaddress?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.12",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the 'Restricted entities' report is reviewed weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_restricted_entities_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-spoofed-domains-report-is-reviewed.json b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-spoofed-domains-report-is-reviewed.json
new file mode 100644
index 00000000..a3fa2b67
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Reports/CIS3.1/exchange-spoofed-domains-report-is-reviewed.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure the spoofed domains report is reviewed weekly",
+ "description": "Use spoof intelligence in the Security Center on the Anti-spam settings page to review all senders who are spoofing either domains that are part of the organization or spoofing external domains. Spoof intelligence is available as part of Office 365 Enterprise E5 or separately as part of Defender for Office 365 and as of October 2018 Exchange Online Protection (EOP).",
+ "rationale": "Bad actors spoof domains to trick users into conducting actions they normally would not or should not via phishing emails. Running this report will inform the message administrators of current activities, and the phishing techniques used by bad actors. This information can be used to inform end users and plan against future campaigns.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ 1. Connect to Exchange Online using Connect-ExchangeOnline.
+ 2. Run the following PowerShell command:
+ `Get-SpoofIntelligenceInsight`
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-spoofintelligenceinsight?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "2.1.11",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure the spoofed domains report is reviewed weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_spoofed_domains_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-audit-bypass-enabled.json b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-audit-bypass-enabled.json
new file mode 100644
index 00000000..cfe30710
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-audit-bypass-enabled.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'AuditBypassEnabled' is not enabled on mailboxes",
+ "description": "When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access, or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts. Ensure AuditBypassEnabled is not enabled on accounts without a written exception.",
+ "rationale": "
+ If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions.
+ Enabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics.
+ ",
+ "impact": "None - this is the default behavior.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.1.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'AuditBypassEnabled' is not enabled on mailboxes",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_audit_bypass_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e3-enabled.json b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e3-enabled.json
new file mode 100644
index 00000000..b5495faf
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e3-enabled.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure mailbox auditing for E3 users is Enabled",
+ "description": "
+ Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.
+ Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.
+ The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.
+ **Note** : Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only.
+ ",
+ "rationale": "
+ Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.
+ The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.
+ * Resource Mailboxes
+ * Public Folder Mailboxes
+ * DiscoverySearch Mailbox
+ **Note** : Without advanced auditing (E5 function) the logs are limited to 90 days.
+ ",
+ "impact": "None - this is the default behavior.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.1.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure mailbox auditing for E3 users is Enabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_audit_E3_users_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e5-enabled.json b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e5-enabled.json
new file mode 100644
index 00000000..c3dbd62c
--- /dev/null
+++ b/rules/findings/Microsoft365/Exchange Online/Users/CIS3.1/exchange-mailbox-auditing-e5-enabled.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Exchange Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure mailbox auditing for E5 users is Enabled",
+ "description": "
+ Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.
+ Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.
+ The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.
+ **Note** : Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license only.
+ ",
+ "rationale": "
+ Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.
+ The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.
+ * Resource Mailboxes
+ * Public Folder Mailboxes
+ * DiscoverySearch Mailbox
+ **Note** : Without advanced auditing (E5 function) the logs are limited to 90 days.
+ ",
+ "impact": "None - this is the default behavior.",
+ "remediation": {
+ "text": null,
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "6.1.3",
+ "profile": "E5 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure mailbox auditing for E5 users is Enabled",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_exo_audit_E5_users_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-automatic-forward-enabled.json b/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-automatic-forward-enabled.json
deleted file mode 100644
index 535dbaff..00000000
--- a/rules/findings/Microsoft365/ExchangeOnline/General/CIS1.4/exchange-automatic-forward-enabled.json
+++ /dev/null
@@ -1,118 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "Exchange Online",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure automatic forwarding options are disabled",
- "description": "Consider to disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web.",
- "rationale": "In the event that an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment.",
- "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.",
- "remediation": {
- "text": "###### To perform remediation you may use the Exchange Online PowerShell Module:\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tSet-RemoteDomain Default -AutoForwardEnabled $false\r\n\t\t\t\t\t```\r\n\t\t\t\t\t3. To verify this worked you may re-run the audit command as follows:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tGet-RemoteDomain Default | fl AllowedOOFType, AutoForwardEnabled\r\n\t\t\t\t\t```",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "4.3"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 4.4"
- ],
- "rule": {
- "path": "o365_exo_remote_domain",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "AutoForwardEnabled",
- "eq",
- "True"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "Name": "Policy Name",
- "OrganizationalUnitRoot": "Organization",
- "AutoForwardEnabled": "Automatic Forward"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure automatic forwarding options are disabled",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "o365_exo_automatic_forward_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-mail-transport-rules-forward-enabled.json b/rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-mail-transport-rules-forward-enabled.json
deleted file mode 100644
index a45ee4e2..00000000
--- a/rules/findings/Microsoft365/ExchangeOnline/Mail Transport Rules/CIS1.4/exchange-mail-transport-rules-forward-enabled.json
+++ /dev/null
@@ -1,118 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "Exchange Online",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure mail transport rules do not forward email to external domains",
- "description": "Consider to set Exchange Online mail transport rules to not forward email to domains outside of your organization.",
- "rationale": "Attackers often create these rules to exfiltrate data from your tenancy.",
- "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.",
- "remediation": {
- "text": "###### To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Select `Exchange`.\r\n\t\t\t\t\t2. Select `Mail Flow` and `Rules`.\r\n\t\t\t\t\t3. For each rule that forwards email to external domains, select the rule and click the *Delete* icon.\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To perform remediation you may also use the Exchange Online PowerShell Module\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tRemove-TransportRule {RuleName}\r\n\t\t\t\t\t```\r\n\t\t\t\t\t3. To verify this worked you may re-run the audit command as follows:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tGet-TransportRule | Where-Object {$null -ne $_.RedirectMessageTo} | ft Name,RedirectMessageTo\r\n\t\t\t\t\t```",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "4.3"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 4.3"
- ],
- "rule": {
- "path": "o365_exo_transport_rules",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "AdditionalStorageProvidersAvailable",
- "eq",
- "true"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "Name": "Name",
- "CreatedBy": "Created By",
- "RedirectMessageTo": "Redirect Message To"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure mail transport rules do not forward email to external domains",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "o365_exo_transport_rules_forward_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/Microsoft Admin/CIS3.1/m365-user-owned-apps-and-services-allowed.json b/rules/findings/Microsoft365/Microsoft Admin/CIS3.1/m365-user-owned-apps-and-services-allowed.json
new file mode 100644
index 00000000..09f293f1
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Admin/CIS3.1/m365-user-owned-apps-and-services-allowed.json
@@ -0,0 +1,120 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft 365 Admin",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'User owned apps and services' is restricted",
+ "description": "
+ By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.
+ Do not allow users to install add-ins in Word, Excel, or PowerPoint.
+ ",
+ "rationale": "
+ Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.
+ While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.
+ Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk.
+ ",
+ "impact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.",
+ "remediation": {
+ "text": "
+ To prohibit users installing Office Store add-ins and starting 365 trials:
+ 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
+ 2. Click to expand Settings Select `Org settings'.
+ 3. Under Services select User owned apps and services.
+ 4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
+ 5. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/admin/setup/set-up-file-storage-and-sharing?view=o365-worldwide#enable-or-disable-third-party-storage-services"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "1.3.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "low",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'User owned apps and services' is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_user_owned_apps_and_services_allowed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-allow-users-apply-sensitivity-labels-not-enabled.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-allow-users-apply-sensitivity-labels-not-enabled.json
new file mode 100644
index 00000000..ab5fb6f9
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-allow-users-apply-sensitivity-labels-not-enabled.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'",
+ "description": "
+ Information protection tenant settings help to protect sensitive information in the Power BI tenant. Allowing and applying sensitivity labels to content ensures that information is only seen and accessed by the appropriate users.
+ The recommended state is Enabled or Enabled for a subset of the organization.
+ **Note** : Sensitivity labels and protection are only applied to files exported to Excel, PowerPoint, or PDF files, that are controlled by `Export to Excel` and `Export reports as PowerPoint presentation or PDF documents` settings. All other export and sharing options do not support the application of sensitivity labels and protection.
+ **Note 2** : There are some prerequisite steps that need to be completed in order to fully utilize labelling. See here.
+ ",
+ "rationale": "Establishing data classifications and affixing labels to data at creation enables organizations to discern the data's criticality, sensitivity, and value. This initial identification enables the implementation of appropriate protective measures, utilizing technologies like Data Loss Prevention (DLP) to avert inadvertent exposure and enforcing access controls to safeguard against unauthorized access. This practice can also promote user awareness and responsibility in regard to the nature of the data they interact with. Which in turn can foster awareness in other areas of data management across the organization.",
+ "impact": "Additional license requirements like Power BI Pro are required, as outlined in the Licensed and requirements page linked in the description and references sections.",
+ "remediation": {
+ "text": "
+ ###### Enable sensitivity labels:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Information protection.
+ 4. Set Allow users to apply sensitivity labels for content to one of these states:
+ * State 1: Enabled
+ * State 2: Enabled with Specific security groups selected and defined.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels",
+ "https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-dlp-policies-for-power-bi-overview",
+ "https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels#licensing-and-requirements"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.6",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_allow_users_apply_sensitivity_labels_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-block-resourcekey-authentication-not-enabled.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-block-resourcekey-authentication-not-enabled.json
new file mode 100644
index 00000000..2edafb95
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-block-resourcekey-authentication-not-enabled.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'Block ResourceKey Authentication' is 'Enabled'",
+ "description": "This setting blocks the use of resource key based authentication. The Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If blocked users will not be allowed send data to streaming and PUSH datasets using the API with a resource key. The recommended state is Enabled.",
+ "rationale": "Resource keys are a form of authentication that allows users to access Power BI resources (such as reports, dashboards, and datasets) without requiring individual user accounts. While convenient, this method bypasses the organization's centralized identity and access management controls. Enabling ensures that access to Power BI resources is tied to the organization's authentication mechanisms, providing a more secure and controlled environment.",
+ "impact": "Developers will need to request a special exception in order to use this feature.",
+ "remediation": {
+ "text": "
+ ###### Ensure ResourceKey Authentication is Enabled:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Developer settings.
+ 4. Set Block ResourceKey Authentication to Enabled
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-developer",
+ "https://learn.microsoft.com/en-us/power-bi/connect-data/service-real-time-streaming"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.9",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Block ResourceKey Authentication' is 'Enabled'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_block_resourcekey_authentication_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-enabling-external-data-sharing-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-enabling-external-data-sharing-not-restricted.json
new file mode 100644
index 00000000..dad4dff7
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-enabling-external-data-sharing-not-restricted.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure enabling of external data sharing is restricted",
+ "description": "Power BI admins can specify which users or user groups can share datasets externally with guests from a different tenant through the in-place mechanism. Disabling this setting prevents any user from sharing datasets externally by restricting the ability of users to turn on external sharing for datasets they own or manage. The recommended state is Enabled for a subset of the organization or Disabled.",
+ "rationale": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
+ "impact": "Security groups will need to be more closely tended to and monitored.",
+ "remediation": {
+ "text": "
+ ###### Restrict external data sharing:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Allow specific users to turn on external data sharing to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Specific security groups selected and defined.
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.8",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure enabling of external data sharing is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_enabling_external_data_sharing_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-external-user-invitations-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-external-user-invitations-not-restricted.json
new file mode 100644
index 00000000..4e6d67ef
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-external-user-invitations-not-restricted.json
@@ -0,0 +1,118 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external user invitations are restricted",
+ "description": "
+ This setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI. The recommended state is Enabled for a subset of the organization or Disabled.
+ **Note** : To invite external users to the organization, the user must also have the Microsoft Entra Guest Inviter role.
+ ",
+ "rationale": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
+ "impact": "Guest user invitations will be limited to only specific employees.",
+ "remediation": {
+ "text": "
+ ###### Restrict external user invitations:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Users can invite guest users to collaborate through item sharing and permissions to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Specific security groups selected and defined.
+
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it Disabled.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-export-sharing",
+ "https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-azure-ad-b2b#invite-guest-users"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external user invitations are restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_external_user_invitations_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-access-to-content-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-access-to-content-not-restricted.json
new file mode 100644
index 00000000..36d5f683
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-access-to-content-not-restricted.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure guest access to content is restricted",
+ "description": "This setting allows Microsoft Entra B2B guest users to have full access to the browsing experience using the left-hand navigation pane in the organization. Guest users who have been assigned workspace roles or specific item permissions will continue to have those roles and/or permissions, even if this setting is disabled. The recommended state is Enabled for a subset of the organization or Disabled.",
+ "rationale": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Entra that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
+ "impact": "Security groups will need to be more closely tended to and monitored.",
+ "remediation": {
+ "text": "
+ ###### Restrict guest user content access:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Guest users can browse and access Fabric content to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Specific security groups selected and defined.
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it Disabled.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure guest access to content is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_guest_access_to_content_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-user-access-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-user-access-not-restricted.json
new file mode 100644
index 00000000..a325c18e
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-guest-user-access-not-restricted.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure guest user access is restricted",
+ "description": "This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI. The recommended state is Enabled for a subset of the organization or Disabled.",
+ "rationale": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
+ "impact": "Security groups will need to be more closely tended to and monitored.",
+ "remediation": {
+ "text": "
+ ###### Restrict guest user access:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Guest users can access Microsoft Fabric to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Specific security groups selected and defined.
+
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it Disabled.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure guest user access is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_guest_user_access_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-interact-with-r-and-python-not-disabled.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-interact-with-r-and-python-not-disabled.json
new file mode 100644
index 00000000..94f357e6
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-interact-with-r-and-python-not-disabled.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'Interact with and share R and Python' visuals is 'Disabled'",
+ "description": "Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface.",
+ "rationale": "Disabling this feature can reduce the attack surface by preventing potential malicious code execution leading to data breaches, or unauthorized access. The potential for sensitive or confidential data being leaked to unintended users is also increased with the use of scripts.",
+ "impact": "Use of R and Python scripting will require exceptions for developers, along with more stringent code review.",
+ "remediation": {
+ "text": "
+ ###### Configure the recommended state:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to R and Python visuals settings.
+ 4. Set Interact with and share R and Python visuals to Disabled
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-r-python-visuals",
+ "https://learn.microsoft.com/en-us/power-bi/visuals/service-r-visuals",
+ "https://www.r-project.org/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.5",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Interact with and share R and Python' visuals is 'Disabled'",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_interact_R_and_python_not_disabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-publish-to-web-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-publish-to-web-not-restricted.json
new file mode 100644
index 00000000..2a44d49b
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-publish-to-web-not-restricted.json
@@ -0,0 +1,115 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'Publish to web' is restricted",
+ "description": "Power BI enables users to share reports and materials directly on the internet from both the application's desktop version and its web user interface. This functionality generates a publicly reachable web link that doesn't necessitate authentication or the need to be an AAD user in order to access and view it. The recommended state is Enabled for a subset of the organization or Disabled.",
+ "rationale": "When using Publish to Web anyone on the Internet can view a published report or visual. Viewing requires no authentication. It includes viewing detail-level data that your reports aggregate. By disabling the feature, restricting access to certain users and allowing existing embed codes organizations can mitigate the exposure of confidential or proprietary information.",
+ "impact": "Depending on the organization's utilization administrators may experience more overhead managing embed codes, and requests.",
+ "remediation": {
+ "text": "
+ ###### Restrict Publish to web:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Publish to web to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Choose how embed codes work set to Only allow existing codes AND Specific security groups selected and defined
+
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it Disabled.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-publish-to-web",
+ "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-export-sharing#publish-to-web"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'Publish to web' is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_publish_to_web_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-shareable-links-not-restricted.json b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-shareable-links-not-restricted.json
new file mode 100644
index 00000000..49f07681
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Fabric/CIS3.1/fabric-shareable-links-not-restricted.json
@@ -0,0 +1,120 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Fabric",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure shareable links are restricted",
+ "description": "
+ Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application. There are 3 options that can be selected when creating a shareable link:
+ * People in your organization
+ * People with existing access
+ * Specific people
+ This setting solely deals with restrictions to People in the organization. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting. The recommended state is `Enabled for a subset of the organization` or `Disabled`.
+ ",
+ "rationale": "While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either People with existing access or Specific people when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage.",
+ "impact": "If the setting is Enabled then only specific people in the organization would be allowed to create general links viewable by the entire organization.",
+ "remediation": {
+ "text": "
+ ###### Restrict shareable links:
+ 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
+ 2. Select Tenant settings.
+ 3. Scroll to Export and Sharing settings.
+ 4. Set Allow shareable links to grant access to everyone in your organization to one of these states:
+ * State 1: Disabled
+ * State 2: Enabled with Specific security groups selected and defined.
+ **Important** : If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-share-dashboards?wt.mc_id=powerbi_inproduct_sharedialog#link-settings",
+ "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal-export-sharing"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "9.1.7",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure shareable links are restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "fabric_shareable_links_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/MicrosoftForms/CIS1.4/forms-internal-phishing-protection-disabled.json b/rules/findings/Microsoft365/Microsoft Forms/CIS3.1/forms-internal-phishing-protection-disabled.json
similarity index 91%
rename from rules/findings/Microsoft365/MicrosoftForms/CIS1.4/forms-internal-phishing-protection-disabled.json
rename to rules/findings/Microsoft365/Microsoft Forms/CIS3.1/forms-internal-phishing-protection-disabled.json
index def29836..6314ae7d 100644
--- a/rules/findings/Microsoft365/MicrosoftForms/CIS1.4/forms-internal-phishing-protection-disabled.json
+++ b/rules/findings/Microsoft365/Microsoft Forms/CIS3.1/forms-internal-phishing-protection-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -25,9 +25,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.10"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "1.3.5",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
@@ -80,13 +81,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -111,7 +114,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_forms_phishing_protection_disabled",
+ "idSuffix": "m365_forms_phishing_protection_disabled",
"notes": [
],
@@ -119,3 +122,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-Teams-disabled.json b/rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-Teams-disabled.json
similarity index 50%
rename from rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-Teams-disabled.json
rename to rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-Teams-disabled.json
index d2808544..165eba22 100644
--- a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-Teams-disabled.json
+++ b/rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-Teams-disabled.json
@@ -1,14 +1,20 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
- "serviceType": "Security and Compliance",
+ "serviceType": "Purview",
"serviceName": "Microsoft 365",
"displayName": "Ensure DLP policies are enabled for Microsoft Teams",
- "description": "Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
- "rationale": "Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.",
- "impact": "Enabling a Teams DLP policy will allow sensitive data in Teams channels or chat messages to be detected or blocked.",
+ "description": "
+ The default Teams Data Loss Prevention (DLP) policy rule in Microsoft 365 is a preconfigured rule that is automatically applied to all Teams conversations and channels. The default rule helps prevent accidental sharing of sensitive information by detecting and blocking certain types of content that are deemed sensitive or inappropriate by the organization.
+ By default, the rule includes a check for the sensitive info type Credit Card Number which is pre-defined by Microsoft.
+ ",
+ "rationale": "
+ Enabling the default Teams DLP policy rule in Microsoft 365 helps protect an organization's sensitive information by preventing accidental sharing or leakage Credit Card information in Teams conversations and channels.
+ DLP rules are not one size fits all, but at a minimum something should be defined. The organization should identify sensitive information important to them and seek to intercept it using DLP.
+ ",
+ "impact": "End-users may be prevented from sharing certain types of content, which may require them to adjust their behavior or seek permission from administrators to share specific content. Administrators may receive requests from end-users for permission to share certain types of content or to modify the policy to better fit the needs of their teams.",
"remediation": {
"text": null,
"code": {
@@ -20,18 +26,20 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide"
+ "https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps",
+ "https://learn.microsoft.com/en-us/purview/dlp-teams-default-policy?view=o365-worldwide%2F1000",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/connect-ippssession?view=exchange-ps"
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.5"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "3.2.2",
+ "profile": "E5 Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 3.5"
],
"rule": {
"path": "o365_secomp_dlp_compliance_info",
@@ -50,9 +58,9 @@
"True"
],
[
- "Policy.TeamsLocation.Name",
+ "Policy.TeamsLocation.Count",
"eq",
- "All"
+ "0"
]
],
"operator": "and"
@@ -60,7 +68,7 @@
]
}
],
- "shouldExist": "true",
+ "shouldExist": null,
"returnObject": {
"Feature": "Enabled DLP Policies For Teams",
"Status": "DoesNotExists"
@@ -87,13 +95,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"Policy"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -118,7 +128,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_dlp_Teams_disabled",
+ "idSuffix": "m365_exo_dlp_Teams_disabled",
"notes": [
],
@@ -126,3 +136,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-disabled.json b/rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-disabled.json
similarity index 59%
rename from rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-disabled.json
rename to rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-disabled.json
index 4602aadd..bbee6710 100644
--- a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-dlp-policies-disabled.json
+++ b/rules/findings/Microsoft365/Microsoft Purview/DLP/CIS3.1/purview-dlp-policies-disabled.json
@@ -1,16 +1,21 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
- "serviceType": "Security and Compliance",
+ "serviceType": "Purview",
"serviceName": "Microsoft 365",
"displayName": "Ensure DLP policies are enabled",
- "description": "Enabling Data Loss Prevention (DLP) policies allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
- "rationale": null,
- "impact": null,
+ "description": "Data Loss Prevention (DLP) policies allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
+ "rationale": "Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.",
+ "impact": "Enabling a Teams DLP policy will allow sensitive data in Exchange Online and SharePoint Online to be detected or blocked. Always ensure to follow appropriate procedures during testing and implementation of DLP policies based on organizational standards.",
"remediation": {
- "text": null,
+ "text": "
+ ###### To enable DLP policies:
+ 1. Navigate to Microsoft Purview https://compliance.microsoft.com.
+ 2. Under Solutions select Data loss prevention then Policies.
+ 3. Click Create policy.
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -24,14 +29,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.4"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "3.2.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 3.4"
],
"rule": {
"path": "o365_secomp_dlp_compliance_info",
@@ -47,14 +52,14 @@
[
"isEnabled",
"eq",
- "True"
+ "false"
]
]
}
]
}
],
- "shouldExist": "true",
+ "shouldExist": null,
"returnObject": {
"Feature": "Enabled DLP Policies",
"Status": "DoesNotExists"
@@ -78,13 +83,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -109,7 +116,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_dlp_disabled",
+ "idSuffix": "m365_exo_dlp_disabled",
"notes": [
],
@@ -117,3 +124,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-audit-log-search-disabled.json b/rules/findings/Microsoft365/Microsoft Purview/General/CIS3.1/purview-audit-log-search-disabled.json
similarity index 50%
rename from rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-audit-log-search-disabled.json
rename to rules/findings/Microsoft365/Microsoft Purview/General/CIS3.1/purview-audit-log-search-disabled.json
index 2d31a12b..a195ed8e 100644
--- a/rules/findings/Microsoft365/SecurityAndCompliance/CIS1.4/exchange-audit-log-search-disabled.json
+++ b/rules/findings/Microsoft365/Microsoft Purview/General/CIS3.1/purview-audit-log-search-disabled.json
@@ -1,16 +1,22 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
- "serviceType": "Security and Compliance",
+ "serviceType": "Purview",
"serviceName": "Microsoft 365",
"displayName": "Ensure Microsoft 365 audit log search is Enabled",
- "description": "When audit log search in the Microsoft 365 Security \u0026 Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.",
- "rationale": "Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes",
+ "description": "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.",
+ "rationale": "Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.",
"impact": null,
"remediation": {
- "text": "###### To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Log in as an Global Administrator\r\n\t\t\t\t\t2. Navigate to \u003ca href=\"https://protection.office.com\" target=\"_blank\"\u003eOffice 365 security \u0026 compliance center\u003c/a\u003e.\r\n\t\t\t\t\t3. In the `Security \u0026 Compliance Center`, expand `Search` then select `Audit log search`.\r\n\t\t\t\t\t4. Click `Start recording user and admin activities` next to the information warning at the top.\r\n\t\t\t\t\t5. Click `Yes` on the dialog box to confirm.\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To enable Microsoft 365 audit log search, use the Exchange Online PowerShell Module\r\n\t\t\t\t\t1. Run Microsoft Exchange Online PowerShell Module.\r\n\t\t\t\t\t2. Connect using `Connect-EXOPSSession`.\r\n\t\t\t\t\t3. Run the following PowerShell command:\r\n\t\t\t\t\t\r\n\t\t\t\t\t```\r\n\t\t\t\t\tSet-AdminAuditLogConfig -AdminAutidLogEnabled $true -UnifiedAuditLogIngestionEnabled $true\r\n\t\t\t\t\t```",
+ "text": "
+ ###### To enable Microsoft 365 audit log search:
+ 1. Navigate to Microsoft Purview https://compliance.microsoft.com.
+ 2. Select Audit to open the audit search.
+ 3. Click Start recording user and admin activity next to the information warning at the top.
+ 4. Click Yes on the dialog box to confirm.
+ ",
"code": {
"powerShell": null,
"iac": null,
@@ -20,18 +26,19 @@
},
"recommendation": null,
"references": [
- "https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off"
+ "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide",
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/set-adminauditlogconfig?view=exchange-ps"
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "5.1"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "3.1.1",
+ "profile": "E3 Level 1"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 5.1"
],
"rule": {
"path": "o365_secomp_log_config",
@@ -83,13 +90,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"Policy"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -114,7 +123,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_exo_auditing_disabled",
+ "idSuffix": "m365_exo_auditing_disabled",
"notes": [
],
@@ -122,3 +131,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Microsoft Purview/Information Protection/CIS3.1/purview-sharepoint-online-lack-of-information-protection-policies.json b/rules/findings/Microsoft365/Microsoft Purview/Information Protection/CIS3.1/purview-sharepoint-online-lack-of-information-protection-policies.json
new file mode 100644
index 00000000..714cc0c9
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Purview/Information Protection/CIS3.1/purview-sharepoint-online-lack-of-information-protection-policies.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Purview",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure SharePoint Online Information Protection policies are set up and used",
+ "description": "SharePoint Online Data Classification Policies enables organizations to classify and label content in SharePoint Online based on its sensitivity and business impact. This setting helps organizations to manage and protect sensitive data by automatically applying labels to content, which can then be used to apply policy-based protection and governance controls.",
+ "rationale": "By categorizing and applying policy-based protection, SharePoint Online Data Classification Policies can help reduce the risk of data loss or exposure and enable more effective incident response if a breach does occur.",
+ "impact": "The creation of data classification policies is unlikely to have a significant impact on an organization. However, maintaining long-term adherence to policies may require ongoing training and compliance efforts across the organization. Therefore, organizations should include training and compliance planning as part of the data classification policy creation process.",
+ "remediation": {
+ "text": "
+ ###### To set up SharePoint Online Information Protection:
+ 1. Navigate to Microsoft Purview compliance portal https://compliance.microsoft.com.
+ 2. Under Solutions select Information protection.
+ 3. Click on the Label policies tab.
+ 4. Click Create a label to create a label.
+ 5. Select the label and click on the Publish label.
+ 6. Fill out the forms to create the policy.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-overview?view=o365-worldwide#top-sensitivity-labels-applied-to-content",
+ "https://learn.microsoft.com/en-us/purview/sensitivity-labels-sharepoint-onedrive-files"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "3.3.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": "true",
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure SharePoint Online Information Protection policies are set up and used",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_purview_lack_spo_information_protection_policies",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Purview/Reports/CIS3.1/purview-user-role-group-changes-report-is-reviewed.json b/rules/findings/Microsoft365/Microsoft Purview/Reports/CIS3.1/purview-user-role-group-changes-report-is-reviewed.json
new file mode 100644
index 00000000..de410c23
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Purview/Reports/CIS3.1/purview-user-role-group-changes-report-is-reviewed.json
@@ -0,0 +1,115 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Purview",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure user role group changes are reviewed at least weekly",
+ "description": "Role-Based Access Control allows for permissions to be assigned to users based on their roles within an organization. It is a more manageable form of access control that is less prone to errors. These user roles can be audited inside of Microsoft Purview to provide a security auditor insight into user privilege change.",
+ "rationale": "Weekly reviews provide an opportunity to identify rights changes in an organization and are a large part of maintaining Least Privilege and preventing Privilege creep. Insider Threats, either intentional or unintentional, can occur when a user has higher than needed privileges. Maintaining accountability of role membership will keep insiders and malicious actors limited in the scope of potential damaging activities.",
+ "impact": "By performing regular reviews, the Administrators assigning rights to users will need to inevitably provide justification for those changes to security auditors. Documentation that includes detailed policies, procedures, and change requests will need to be considered to keep a secure organization functioning within its planned operational level.",
+ "remediation": {
+ "text": "
+ ###### To review user role group changes:
+ 1. Navigate to Microsoft Purview https://compliance.microsoft.com/.
+ 2. Under Solutions click on Audit then select New Search.
+ 3. In Activities find Added member to Role under the Role administration activities section and select it.
+ 4. Set a valid Start Date and End Date within the last week.
+ 5. Click Search.
+ 6. Review once the search is completed.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "3.1.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "info",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure user role group changes are reviewed at least weekly",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "m365_purview_user_role_group_change_report_is_reviewed",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/MicrosoftSway/CIS1.4/sway-external-sharing-enabled.json b/rules/findings/Microsoft365/Microsoft Sway/CIS3.1/sway-external-sharing-enabled.json
similarity index 89%
rename from rules/findings/Microsoft365/MicrosoftSway/CIS1.4/sway-external-sharing-enabled.json
rename to rules/findings/Microsoft365/Microsoft Sway/CIS3.1/sway-external-sharing-enabled.json
index a8b7c06c..ebfef3be 100644
--- a/rules/findings/Microsoft365/MicrosoftSway/CIS1.4/sway-external-sharing-enabled.json
+++ b/rules/findings/Microsoft365/Microsoft Sway/CIS3.1/sway-external-sharing-enabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -24,10 +24,11 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.11"
- }
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "1.3.8",
+ "profile": "E3 Level 2"
+ }
],
"level": "medium",
"tags": [
@@ -75,13 +76,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -106,7 +109,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_sway_external_sharing_enabled",
+ "idSuffix": "m365_sway_external_sharing_enabled",
"notes": [
],
@@ -114,3 +117,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-and-dial-in-callers-not-restricted-start-meeting.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-and-dial-in-callers-not-restricted-start-meeting.json
new file mode 100644
index 00000000..e7c4acb2
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-and-dial-in-callers-not-restricted-start-meeting.json
@@ -0,0 +1,118 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure anonymous users and dial-in callers can't start a meeting",
+ "description": "
+ This policy setting controls if an anonymous participant can start a Microsoft Teams meeting without someone in attendance. Anonymous users and dial-in callers must wait in the lobby until the meeting is started by someone in the organization or an external user from a trusted organization.
+ Anonymous participants are classified as:
+ * Participants who are not logged in to Teams with a work or school account.
+ * Participants from non-trusted organizations (as configured in external access).
+ * Participants from organizations where there is not mutual trust.
+ **Note** : This setting only applies when Who can bypass the lobby is set to Everyone. If the anonymous users can join a meeting organization-level setting or meeting policy is Off, this setting only applies to dial-in callers.
+ ",
+ "rationale": "Not allowing anonymous participants to automatically join a meeting reduces the risk of meeting spamming.",
+ "impact": "Anonymous participants will not be able to start a Microsoft Teams meeting.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under meeting join & lobby set Anonymous users and dial-in callers can start a meeting to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoftteams/anonymous-users-in-meetings",
+ "https://learn.microsoft.com/en-US/microsoftteams/who-can-bypass-meeting-lobby?WT.mc_id=TeamsAdminCenterCSH#overview-of-lobby-settings-and-policies"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure anonymous users and dial-in callers can't start a meeting",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_anonymous_users_and_dialin_callers_not_restricted_start_meeting",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-cant-join-meeting.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-cant-join-meeting.json
new file mode 100644
index 00000000..3a6cb234
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-anonymous-users-cant-join-meeting.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure anonymous users can't join a meeting",
+ "description": "This policy setting can prevent anyone other than invited attendees (people directly invited by the organizer, or to whom an invitation was forwarded) from bypassing the lobby and entering the meeting.",
+ "rationale": "
+ For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times.
+ **Note** : Those companies that don't normally operate at a Level 2 environment, but do deal with sensitive information, may want to consider this policy setting.
+ ",
+ "impact": "Individuals who were not sent or forwarded a meeting invite will not be able to join the meeting automatically.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default)
+ 4. Under meeting join & lobby set Anonymous users can join a meeting to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.1",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure anonymous users can't join a meeting",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_anonymous_users_not_restricted_join_meeting",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-app-permission-policies-not-configured.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-app-permission-policies-not-configured.json
new file mode 100644
index 00000000..3518d465
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-app-permission-policies-not-configured.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure app permission policies are configured",
+ "description": "This policy setting controls which class of apps are available for users to install.",
+ "rationale": "Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment.",
+ "impact": "Users will only be able to install approved classes of apps.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Teams apps select Manage apps.
+ 3. In the upper right click Actions > Org-wide app settings.
+ 4. For Microsoft apps set Let users install and use available apps by default to On or less permissive.
+ 5. For Third-party apps set Let users install and use available apps by default to Off.
+ 6. For Custom apps set Let users install and use available apps by default to Off.
+ 7. For Custom apps set Upload custom apps for personal use to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoftteams/app-centric-management",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#disabling-third-party--custom-apps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.4.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure app permission policies are configured",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_app_permissions_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-disable-users-sent-emails-to-channel-email-address.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-disable-users-sent-emails-to-channel-email-address.json
new file mode 100644
index 00000000..2e5bdb00
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-disable-users-sent-emails-to-channel-email-address.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure users can't send emails to a channel email address",
+ "description": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.",
+ "rationale": "Channel email addresses are not under the tenant’s domain and organizations do not have control over the security settings for this email address. An attacker could email channels directly if they discover the channel email address.",
+ "impact": "Users will not be able to email the channel directly.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Teams select Teams settings.
+ 3. Under email integration set Users can send emails to a channel email address to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#restricting-channel-email-messages-to-approved-domains",
+ "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsclientconfiguration?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.1.2",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure users can't send emails to a channel email address",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_users_sending_emails_to_channel_email_address",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-access-not-restricted.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-access-not-restricted.json
new file mode 100644
index 00000000..2010d861
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-access-not-restricted.json
@@ -0,0 +1,129 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure 'external access' is restricted in the Teams admin center",
+ "description": "
+ This policy setting controls chat with external unmanaged Skype and Teams users. Users in the organization will not be searchable by unmanaged Skype or Teams users and will have to initiate all communications with unmanaged users.
+ **Note** : As of December 2021, the default for Teams external communication is set to `People in my organization can communicate with Teams users whose accounts aren't managed by an organization`.
+ **Note #2** : Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information.
+ ",
+ "rationale": "
+ Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Some real-world attacks and exploits delivered via Teams over external access channels include:
+ * DarkGate malware
+ * Social engineering / Phishing attacks by `Midnight Blizzard`
+ * GIFShell
+ * Username enumeration
+ ",
+ "impact": "
+ The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication.
+ **Note** : Chat with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.
+ ",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.
+ 2. Click to expand Users select External access.
+ 3. Under Teams and Skype for Business users in external organizations Select Block all external domains o If the organization's policy allows select any allowed external domains.
+ 4. Under Teams accounts not managed by an organization move the slider to Off.
+ 5. Under Skype users move the slider is to Off.
+ 6. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/set-up-skype-for-business-online",
+ "https://learn.microsoft.com/en-US/microsoftteams/manage-external-access?WT.mc_id=TeamsAdminCenterCSH",
+ "https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response",
+ "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/",
+ "https://www.bitdefender.com/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.2.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure 'external access' is restricted in the Teams admin center",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_external_access_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-file-sharing-enabled-only-for-approved-cloud-storage-services.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-file-sharing-enabled-only-for-approved-cloud-storage-services.json
new file mode 100644
index 00000000..0aeb9cac
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-file-sharing-enabled-only-for-approved-cloud-storage-services.json
@@ -0,0 +1,112 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
+ "description": "
+ Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.
+ **Note**: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the references section for more information.
+ ",
+ "rationale": "Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.",
+ "impact": "The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
+ "remediation": {
+ "text": "
+ ###### To set external file sharing in Teams:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Teams select Teams settings.
+ 3. Set any unauthorized providers to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.1.1",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_external_file_sharing_enabled_only_for_approved_cloud_storage",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-meeting-chat-is-off.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-meeting-chat-is-off.json
new file mode 100644
index 00000000..91142770
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-meeting-chat-is-off.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external meeting chat is off",
+ "description": "This meeting policy setting controls whether users can read or write messages in external meeting chats with untrusted organizations. If an external organization is on the list of trusted organizations this setting will be ignored.",
+ "rationale": "Restricting access to chat in meetings hosted by external organizations limits the opportunity for an exploit like GIFShell or DarkGate malware from being delivered to users.",
+ "impact": "When joining external meetings users will be unable to read or write chat messages in Teams meetings with organizations that they don't have a trust relationship with. This will completely remove the chat functionality in meetings. From an I.T. perspective both the upkeep of adding new organizations to the trusted list and the decision-making process behind whether to trust or not trust an external partner will increase time expenditures.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under meeting engagement set External meeting chat to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference?WT.mc_id=TeamsAdminCenterCSH#meeting-engagement"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.8",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external meeting chat is off",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_external_meeting_chat_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-participants-cannot-give-or-request-control.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-participants-cannot-give-or-request-control.json
new file mode 100644
index 00000000..978361a9
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-external-participants-cannot-give-or-request-control.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external participants can't give or request control",
+ "description": "This policy setting allows control of who can present in meetings and who can request control of the presentation while a meeting is underway.",
+ "rationale": "Ensuring that only authorized individuals and not external participants are able to present and request control reduces the risk that a malicious user can inadvertently show content that is not appropriate. External participants are categorized as follows: external users, guests, and anonymous users.",
+ "impact": "External participants will not be able to present or request control during the meeting.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under content sharing set External participants can give or request control to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control",
+ "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.7",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external participants can't give or request control",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_external_participants_cannot_request_control",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-meeting-chat-not-allow-anonymous-users.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-meeting-chat-not-allow-anonymous-users.json
new file mode 100644
index 00000000..c545ba42
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-meeting-chat-not-allow-anonymous-users.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure meeting chat does not allow anonymous users",
+ "description": "This policy setting controls who has access to read and write chat messages during a meeting.",
+ "rationale": "Ensuring that only authorized individuals can read and write chat messages during a meeting reduces the risk that a malicious user can inadvertently show content that is not appropriate or view sensitive information.",
+ "impact": "Only authorized individuals will be able to read and write chat messages during a meeting.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under meeting engagement set Meeting chat to On for everyone but anonymous users.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps&viewFallbackFrom=skype-ps#-meetingchatenabledtype"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.5",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure meeting chat does not allow anonymous users",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_meeting_chat_allow_anonymous_users",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-org-people-can-bypass-lobby.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-org-people-can-bypass-lobby.json
new file mode 100644
index 00000000..5b171cfe
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-org-people-can-bypass-lobby.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure only people in my org can bypass the lobby",
+ "description": "This policy setting controls who can join a meeting directly and who must wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting.",
+ "rationale": "For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times.",
+ "impact": "Individuals who are not part of the organization will have to wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting. Any individual who dials into the meeting regardless of status will also have to wait in the lobby. This includes internal users who are considered unauthenticated when dialing in.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under meeting join & lobby set Who can bypass the lobby to People in my org.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-US/microsoftteams/who-can-bypass-meeting-lobby?WT.mc_id=TeamsAdminCenterCSH",
+ "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure only people in my org can bypass the lobby",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_bypass_lobby_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-organizers-and-co-organizers-can-present.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-organizers-and-co-organizers-can-present.json
new file mode 100644
index 00000000..9f3b2b13
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-only-organizers-and-co-organizers-can-present.json
@@ -0,0 +1,116 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure only organizers and co-organizers can present",
+ "description": "
+ This policy setting controls who can present in a Teams meeting.
+ **Note** : Organizers and co-organizers can change this setting when the meeting is set up.
+ ",
+ "rationale": "Ensuring that only authorized individuals are able to present reduces the risk that a malicious user can inadvertently show content that is not appropriate.",
+ "impact": "Only organizers and co-organizers will be able to present without being granted permission.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under content sharing set Who can present to Only organizers and co-organizers.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-US/microsoftteams/meeting-who-present-request-control",
+ "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control#manage-who-can-present",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#configure-meeting-settings-restrict-presenters",
+ "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.6",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure only organizers and co-organizers can present",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_organizers_and_co_organizers_can_present_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-can-report-security-concerns-not-configured.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-can-report-security-concerns-not-configured.json
new file mode 100644
index 00000000..1045cfb9
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-can-report-security-concerns-not-configured.json
@@ -0,0 +1,120 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure users can report security concerns in Teams",
+ "description": "
+ User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass:
+ * In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant.
+ * In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page.
+ * Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement.
+ ",
+ "rationale": "Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy.",
+ "impact": "Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues. Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR).",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Messaging select Messaging policies.
+ 3. Click Global (Org-wide default).
+ 4. Set Report a security concern to On.
+ 5. Next, navigate to Microsoft 365 Defender https://security.microsoft.com/
+ 6. Click on Settings > Email & collaboration > User reported settings.
+ 7. Scroll to Microsoft Teams.
+ 8. Check Monitor reported messages in Microsoft Teams and Save.
+ 9. Set Send reported messages to: to My reporting mailbox only with reports configured to be sent to authorized staff.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.6.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure users can report security concerns in Teams",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_users_report_security_concerns_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-dialing-in-cant-bypass-lobby.json b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-dialing-in-cant-bypass-lobby.json
new file mode 100644
index 00000000..02b3e66d
--- /dev/null
+++ b/rules/findings/Microsoft365/Microsoft Teams/CIS3.1/teams-users-dialing-in-cant-bypass-lobby.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "Microsoft Teams",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure users dialing in can't bypass the lobby",
+ "description": "This policy setting controls if users who dial in by phone can join the meeting directly or must wait in the lobby. Admittance to the meeting from the lobby is authorized by the meeting organizer, co-organizer, or presenter of the meeting.",
+ "rationale": "For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly from the organization.",
+ "impact": "Individuals who are dialing in to the meeting must wait in the lobby until a meeting organizer, co-organizer, or presenter admits them.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
+ 2. Click to expand Meetings select Meeting policies.
+ 3. Click Global (Org-wide default).
+ 4. Under meeting join & lobby set People dialing in can bypass the lobby to Off.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-US/microsoftteams/who-can-bypass-meeting-lobby?WT.mc_id=TeamsAdminCenterCSH#choose-who-can-bypass-the-lobby-in-meetings-hosted-by-your-organization",
+ "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "8.5.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure users dialing in can't bypass the lobby",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "teams_users_dialing_bypass_lobby_not_configured",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-domain-allowed.json b/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-domain-allowed.json
deleted file mode 100644
index 8c9c9443..00000000
--- a/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-domain-allowed.json
+++ /dev/null
@@ -1,134 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "Microsoft Teams",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure external domains are not allowed in Skype or Teams",
- "description": "Disable the ability of your users to communicate via Skype or Teams with users outside your organization.",
- "rationale": "You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Attackers may be able to pretend to be someone your user knows and then send malicious links or attachments, resulting in an account breach or leaked information.",
- "impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not regularly communicate with external parties using Skype or Teams channels, then minimal impact is likely. However, if users do regularly utilize Teams and Skype for client communication, potentially significant impacts could occur, and users should be contacts, and if necessary, alternate mechanisms to continue this communication should be identified prior to disabling external access to Teams and Skype.",
- "remediation": {
- "text": "###### To disable Skype forBusiness and Teams access with external users, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t\t1. Under `Admin Centers` choose `Teams`.\r\n\t\t\t\t\t\t2. Expand `Org Wide Settings` then select `External Access`.\r\n\t\t\t\t\t\t3. Set `Users can communicate with Skype for Business and Teams users` to `Off`.\r\n\t\t\t\t\t\t4. Set `Skype for Business users can communicate with Skype users` to `Off`.",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/microsoftteams/teams-skype-interop",
- "https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/allow-users-to-contact-external-skype-for-business-users"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.3"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 3.3"
- ],
- "rule": {
- "path": "o365_teams_skype_federation_settings",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "AllowFederatedUsers",
- "eq",
- "True"
- ],
- [
- "AllowPublicUsers",
- "ne",
- "True"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "Identity": "Identity",
- "AllowPublicUsers": "Allow Public Users",
- "AllowFederatedUsers": "Allow Federated Users"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
- {
- "ItemName": "Allow Public Users",
- "ItemValue": "enabled",
- "className": "badge bg-danger larger-badge"
- },
- {
- "ItemName": "Allow Federated Users",
- "ItemValue": "enabled",
- "className": "badge bg-danger larger-badge"
- }
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure external domains are not allowed in Skype or Teams",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "o365_skype_external_allowed",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-file-sharing-approved-storage.json b/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-file-sharing-approved-storage.json
deleted file mode 100644
index 006c57bd..00000000
--- a/rules/findings/Microsoft365/MicrosoftTeams/CIS1.4/teams-external-file-sharing-approved-storage.json
+++ /dev/null
@@ -1,139 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "Microsoft Teams",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
- "description": "Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.",
- "rationale": "Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.",
- "impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
- "remediation": {
- "text": "###### To Set external file sharing in Teams, use the Microsoft 365 Admin Center:\r\n\t\t\t\t\t\t1. Under `Admin Centers` choose `Teams`.\r\n\t\t\t\t\t\t2. Expand `Org Wide Settings` select `Teams settings`.\r\n\t\t\t\t\t\t3. Set each cloud storage service under Files to `On` if it is authorized.\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t\t**To verify external file sharing in Teams you may also utilize Powershell. Ensure that the Skype for business online, Windows Powershell module and Microsoft Teams module are both installed.**\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t\t1. Install the Powershell module for teams. Skype module will need downloaded from Microsoft\r\n\t\t\t\t\t\t\r\n\t\t\t\t\t\t```Powershell\r\n\t\t\t\t\t\tInstall-Module MicrosoftTeams -Scope CurrentUser\r\n\t\t\t\t\t\tImport-Module SkypeOnlineConnector\r\n\t\t\t\t\t\t```\r\n\t\t\t\t\t\t2. Connect to your tenant as a Global Administrator, methods will differ based on whether 2FA is enabled. See the following article for more information:\r\n\t\t\t\t\t\thttps://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell\r\n\t\t\t\t\t\t3. Run the following command to verify which cloud storage providers are enabled for Teams\r\n\t\t\t\t\t\t```Powershell\r\n\t\t\t\t\t\tGet-CsTeamsClientConfiguration | select allow*\r\n\t\t\t\t\t\t```\r\n\t\t\t\t\t\t4. Run the following Powershell command to disable external providers that are not authorized. (the example disables ShareFile, GoogleDrive, Box, and DropBox)\r\n\t\t\t\t\t\t```Powershell\r\n\t\t\t\t\t\tSet-CsTeamsClientConfiguration -AllowGoogleDrive $false `\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t -AllowShareFile $false `\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t -AllowBox $false `\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t -AllowDropBox $false `\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t -AllowEgnyte $false\r\n\t\t\t\t\t\t```\r\n\t\t\t\t\t\t5. You may verify this worked by running the following Powershell command again.\r\n\t\t\t\t\t\t```Powershell\r\n\t\t\t\t\t\tGet-CsTeamsClientConfiguration | select allow*\r\n\t\t\t\t\t\t```",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsclientconfiguration?view=skype-ps"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.7"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 3.7"
- ],
- "rule": {
- "path": "o365_teams_client_settings",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "AllowDropBox",
- "eq",
- "True"
- ],
- [
- "AllowBox",
- "eq",
- "True"
- ],
- [
- "AllowGoogleDrive",
- "eq",
- "True"
- ],
- [
- "AllowShareFile",
- "eq",
- "True"
- ],
- [
- "AllowEgnyte",
- "eq",
- "True"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "Identity": "Identity",
- "AllowPublicUsers": "Allow Public Users",
- "AllowFederatedUsers": "Allow Federated Users"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "o365_teams_external_sharing_allowed",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/OneDrive/CIS1.4/onedrive-sync-from-unmanaged-domains-enabled.json b/rules/findings/Microsoft365/OneDrive/CIS1.4/onedrive-sync-from-unmanaged-domains-enabled.json
deleted file mode 100644
index 7e735596..00000000
--- a/rules/findings/Microsoft365/OneDrive/CIS1.4/onedrive-sync-from-unmanaged-domains-enabled.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "Microsoft OneDrive",
- "serviceName": "Microsoft 365",
- "displayName": "Block OneDrive for Business sync from unmanaged devices",
- "description": "Consider to prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices.",
- "rationale": "Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked",
- "impact": "Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined.",
- "remediation": {
- "text": "###### To block the sync client on unmanaged devices, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Navigate to \u003ca href=\"https://admin.microsoft.com\" target=\"_blank\"\u003eMicrosoft 365 administration portal\u003c/a\u003e, Click on `All Admin Centers` and then `OneDrive`.\r\n\t\t\t\t\t2. Click `Sync`.\r\n\t\t\t\t\t3. Ensure that `Allow syncing only on PCs joined to specific domains` is checked.\r\n\t\t\t\t\t4. Use the `Get-ADDomain` PowerShell command to obtain the GUID from each domain in your environment and add them to the box below.\r\n\t\t\t\t\t5. Click `Save`",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction?view=sharepoint-ps"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "6.2"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 6.2"
- ],
- "rule": {
- "path": "o365_spo_tenant_sync_restrictions",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "IsUnmanagedSyncClientForTenantRestricted",
- "eq",
- "false"
- ],
- [
- "AllowedDomainListForSyncClient.Count",
- "eq",
- "0"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "ConditionalAccessPolicy": "Conditional Access Policy",
- "DisablePersonalListCreation": "Disable Personal List Creation",
- "DisallowInfectedFileDownload": "Prevent Infected File Download",
- "IsUnmanagedSyncClientForTenantRestricted": "Restrict Access From Unmanaged Devices"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Block OneDrive for Business sync from unmanaged devices",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "ofb_sync_from_unmanaged_devices_enabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS2.0/sharepoint-b2b-integration-disabled.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-b2b-integration-disabled.json
similarity index 91%
rename from rules/findings/Microsoft365/SharepointOnline/CIS2.0/sharepoint-b2b-integration-disabled.json
rename to rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-b2b-integration-disabled.json
index 3c130e68..276f86df 100644
--- a/rules/findings/Microsoft365/SharepointOnline/CIS2.0/sharepoint-b2b-integration-disabled.json
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-b2b-integration-disabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -26,14 +26,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0",
- "reference": "2.12"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.2",
+ "profile": "E3 Level 1"
}
],
- "level": "medium",
+ "level": "low",
"tags": [
- "Microsoft 365 CIS benchmark 2.0 reference 2.12"
],
"rule": {
"path": "o365_spo_tenant_details",
@@ -77,13 +77,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": false,
- "showModalButton": false
+ "showModalButton": false,
+ "directLink": null
}
},
"text": {
@@ -108,7 +110,7 @@
"onlyStatus": false
}
},
- "idSuffix": "sps_azure_b2b_integration_disabled",
+ "idSuffix": "spo_azure_b2b_integration_disabled",
"notes": [
],
@@ -116,3 +118,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-enabled-on-site-collections.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-enabled-on-site-collections.json
new file mode 100644
index 00000000..7f13bd2b
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-enabled-on-site-collections.json
@@ -0,0 +1,125 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure custom script execution is restricted on site collections",
+ "description": "
+ This setting controls custom script execution on a particular site (previously called `site collection`). . Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:
+ * Scripts have access to everything the user has access to.
+ * Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.
+ The recommended state is `Prevent users from running custom script on personal sites` and `Prevent users from running custom script on self-service created sites`.
+ ",
+ "rationale": "
+ Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited:
+ * What code has been inserted
+ * Where the code has been inserted
+ * Who inserted the code
+ **Note** : Microsoft recommends using the SharePoint Framework instead of custom scripts.
+ ",
+ "impact": "None - this is the default behavior.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Select Settings.
+ 3. At the bottom of the page click the classic settings page hyperlink.
+ 4. Scroll to locate the Custom Script section. On the right set the following:
+ * Select Prevent users from running custom script on personal sites.
+ * Select Prevent users from running custom script on self-service created sites.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script",
+ "https://learn.microsoft.com/en-us/sharepoint/security-considerations-of-allowing-custom-script",
+ "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-sposite?view=sharepoint-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.3.4",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure custom script execution is restricted on site collections",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_custon_script_execution_enabled_on_site_collections",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-personal-sites-disabled.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-personal-sites-disabled.json
new file mode 100644
index 00000000..447ac6eb
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-custom-script-execution-personal-sites-disabled.json
@@ -0,0 +1,125 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure custom script execution is restricted on personal sites",
+ "description": "
+ This setting controls custom script execution on OneDrive or user-created sites. Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:
+ * Scripts have access to everything the user has access to.
+ * Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.
+ The recommended state is `Prevent users from running custom script on personal sites` and `Prevent users from running custom script on self-service created sites`.
+ ",
+ "rationale": "
+ Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited:
+ * What code has been inserted
+ * Where the code has been inserted
+ * Who inserted the code
+ **Note** : Microsoft recommends using the SharePoint Framework instead of custom scripts.
+ ",
+ "impact": "None - this is the default behavior.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Select Settings.
+ 3. At the bottom of the page click the classic settings page hyperlink.
+ 4. Scroll to locate the Custom Script section. On the right set the following:
+ * Select Prevent users from running custom script on personal sites.
+ * Select Prevent users from running custom script on self-service created sites.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script",
+ "https://learn.microsoft.com/en-us/sharepoint/security-considerations-of-allowing-custom-script",
+ "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-sposite?view=sharepoint-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.3.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure custom script execution is restricted on personal sites",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_custon_script_execution_enabled_on_personal_sites",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-content-sharing-not-restricted.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-content-sharing-not-restricted.json
new file mode 100644
index 00000000..be3d5863
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-content-sharing-not-restricted.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external content sharing is restricted",
+ "description": "
+ The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization.
+ The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in.
+ The recommended state is New and existing guests or less permissive.
+ ",
+ "rationale": "Forcing guest authentication on the organization's tenant enables the implementation of controls and oversight over external file sharing. When a guest is registered with the organization, they now have an identity which can be accounted for. This identity can also have other restrictions applied to it through group membership and conditional access rules.",
+ "impact": "When using B2B integration, Entra ID external collaboration settings, such as guest invite settings and collaboration restrictions apply.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-US/sharepoint/turn-external-sharing-on-or-off?WT.mc_id=365AdminCSH_spo"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.3",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external content sharing is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_external_content_sharing_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-document-sharing-enable-all.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-managed-allow-deny-domain-list.json
similarity index 84%
rename from rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-document-sharing-enable-all.json
rename to rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-managed-allow-deny-domain-list.json
index 1f05d3bf..4d2506e7 100644
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-document-sharing-enable-all.json
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-managed-allow-deny-domain-list.json
@@ -1,13 +1,13 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "SharePoint Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure document sharing is being controlled by domains with allowlist or denylist",
- "description": "Consider to control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.",
- "rationale": "Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area.",
+ "displayName": "Ensure SharePoint external sharing is managed through domain allow/deny lists",
+ "description": "Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.",
+ "rationale": "Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that users can share documents with will reduce that surface area.",
"impact": "Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed.",
"remediation": {
"text": "###### To configure document sharing restrictions, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Log in as an SharePoint Administrator\r\n\t\t\t\t\t2. Navigate to \u003ca href=\"https://admin.microsoft.com\" target=\"_blank\"\u003eMicrosoft 365 administration portal\u003c/a\u003e, Click on Admin Centers and then SharePoint.\r\n\t\t\t\t\t3. Expand `Policies` then click `Sharing`.\r\n\t\t\t\t\t4. Expand `More external sharing settings` and check `Limit external sharing by domain`..\r\n\t\t\t\t\t5. Select `Add domains` to add a list of approved domains.\r\n\t\t\t\t\t6. Click `Save` at the bottom of the page.\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To configure document sharing restrictions, you can also use SharePoint Online PowerShell\r\n\t\t\t\t\t1. Connect to SharePoint Online using Connect-SPOService\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```\r\n\t\t\t\t\tSet-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList \"domain1.com domain2.com\"\r\n\t\t\t\t\t```",
@@ -25,14 +25,14 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "6.1"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.6",
+ "profile": "E3 Level 2"
}
],
"level": "medium",
"tags": [
- "Microsoft 365 CIS benchmark 6.1"
],
"rule": {
"path": "o365_spo_tenant_details",
@@ -79,13 +79,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -110,7 +112,7 @@
"onlyStatus": false
}
},
- "idSuffix": "sps_document_sharing_all_enabled",
+ "idSuffix": "spo_document_sharing_all_enabled",
"notes": [
],
@@ -118,3 +120,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-not-restricted-by-security-group.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-not-restricted-by-security-group.json
new file mode 100644
index 00000000..5f244386
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-external-sharing-not-restricted-by-security-group.json
@@ -0,0 +1,113 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure external sharing is restricted by security group",
+ "description": "
+ External sharing of content can be restricted to specific security groups. This setting is global, applies to sharing in both SharePoint and OneDrive and cannot be set at the site level in SharePoint.
+ The recommended state is Enabled or Checked.
+ ",
+ "rationale": "Organizations wishing to create tighter security controls for external sharing can set this to enforce role-based access control by using security groups already defined in Microsoft Entra.",
+ "impact": "OneDrive will also be governed by this and there is no granular control at the SharePoint site level.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Click to expand Policies > Sharing.
+ 3. Scroll to and expand More external sharing settings.
+ 4. Set the following:
+ * Check Allow only users in specific security groups to share externally
+ * Define Manage security groups in accordance with company procedure.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.8",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure external sharing is restricted by security group",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_link_sharing_not_restricted_security_group",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-access-to-site-or-onedrive-not-expire.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-access-to-site-or-onedrive-not-expire.json
new file mode 100644
index 00000000..8714680e
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-access-to-site-or-onedrive-not-expire.json
@@ -0,0 +1,117 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure guest access to a site or OneDrive will expire automatically",
+ "description": "
+ This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.
+ The recommended state is 30 or less.
+ ",
+ "rationale": "
+ This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight.
+ **Note** : Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group.
+ ",
+ "impact": "
+ Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire.
+ **Note** : The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.
+ ",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Click to expand Policies > Sharing.
+ 3. Scroll to and expand More external sharing settings.
+ 4. Set Guest access to a site or OneDrive will expire automatically after this many days to 30
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.9",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure guest access to a site or OneDrive will expire automatically",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_guest_access_not_expiring",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-external-user-sharing-disabled.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-user-sharing-disabled.json
similarity index 76%
rename from rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-external-user-sharing-disabled.json
rename to rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-user-sharing-disabled.json
index bd4e139f..c50d8a8f 100644
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-external-user-sharing-disabled.json
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-guest-user-sharing-disabled.json
@@ -1,14 +1,14 @@
-{
+{
"args": [
],
"provider": "Microsoft365",
"serviceType": "SharePoint Online",
"serviceName": "Microsoft 365",
- "displayName": "Ensure that external users cannot share files, folders, and sites they do not own",
- "description": "SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party.",
+ "displayName": "Ensure that SharePoint guest users cannot share items they don't own",
+ "description": "SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.",
"rationale": "Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.",
- "impact": "Impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to \u0027re-share\u0027 content.",
+ "impact": "The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.",
"remediation": {
"text": "###### To set SharePoint sharing settings, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Under `Admin centers` select `SharePoint`.\r\n\t\t\t\t\t2. Expand `Policies` then select `Sharing`.\r\n\t\t\t\t\t3. Expand `More external sharing settings`, uncheck `Allow guests to share items they don\u0027t own`.\r\n\t\t\t\t\t4. Click `Save`\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To Set Prevent external users from sharing files, folders, and sites that they don’t own, use the SharePoint Online PowerShell Module:\r\n\t\t\t\t\t1. Connect to SharePoint Online service using `Connect-SPOService`.\r\n\t\t\t\t\t2. Run the following SharePoint Online PowerShell command:\r\n\t\t\t\t\t```Powershell\r\n\t\t\t\t\tSet-SPOTenant -PreventExternalUsersFromResharing $True\r\n\t\t\t\t\t```",
"code": {
@@ -25,9 +25,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.6"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.5",
+ "profile": "E3 Level 2"
}
],
"level": "medium",
@@ -79,13 +80,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -99,7 +102,7 @@
"keyName": [
],
- "message": "Ensure that external users cannot share files, folders, and sites they do not own",
+ "message": "Ensure that SharePoint guest users cannot share items they don't own",
"defaultMessage": null
},
"properties": {
@@ -110,7 +113,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_spo_external_users_sharing_disabled",
+ "idSuffix": "spo_guest_users_sharing_disabled",
"notes": [
],
@@ -118,3 +121,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-link-sharing-not-restricted.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-link-sharing-not-restricted.json
new file mode 100644
index 00000000..444a63f4
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-link-sharing-not-restricted.json
@@ -0,0 +1,111 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure link sharing is restricted in SharePoint and OneDrive",
+ "description": "
+ This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options.
+ The recommended state is `Specific people (only the people the user specifies)`
+ ",
+ "rationale": "By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege.",
+ "impact": null,
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Click to expand Policies > Sharing.
+ 3. Scroll to File and folder links.
+ 4. Set Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive to Specific people (only the people the user specifies)
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.7",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure link sharing is restricted in SharePoint and OneDrive",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_link_sharing_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-infected-files-download-disabled.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-microsoft365-infected-files-disallowed-to-download-not-enabled.json
similarity index 86%
rename from rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-infected-files-download-disabled.json
rename to rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-microsoft365-infected-files-disallowed-to-download-not-enabled.json
index c81bdcdc..68f25cdf 100644
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-infected-files-download-disabled.json
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-microsoft365-infected-files-disallowed-to-download-not-enabled.json
@@ -1,4 +1,4 @@
-{
+{
"args": [
],
@@ -6,7 +6,7 @@
"serviceType": "SharePoint Online",
"serviceName": "Microsoft 365",
"displayName": "Ensure Office 365 SharePoint infected files are disallowed for download",
- "description": "Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization\u0027s security team.",
+ "description": "By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.",
"rationale": "Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization\u0027s security team.",
"impact": "The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.",
"remediation": {
@@ -25,9 +25,10 @@
],
"compliance": [
{
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.5"
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.3.1",
+ "profile": "E5 Level 2"
}
],
"level": "medium",
@@ -79,13 +80,15 @@
],
"actions": {
"objectData": {
- "expand": [
+ "properties": [
"*"
],
+ "expandObject": null,
"limit": null
},
"showGoToButton": "True",
- "showModalButton": "True"
+ "showModalButton": "True",
+ "directLink": null
}
},
"text": {
@@ -110,7 +113,7 @@
"onlyStatus": false
}
},
- "idSuffix": "o365_spo_infected_files_allowed_download",
+ "idSuffix": "spo_m365_infected_files_allowed_download",
"notes": [
],
@@ -118,3 +121,4 @@
]
}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-modern-authentication-required.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-modern-authentication-required.json
new file mode 100644
index 00000000..c60aaf24
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-modern-authentication-required.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure modern authentication for SharePoint applications is required",
+ "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.",
+ "rationale": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.",
+ "impact": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.",
+ "remediation": {
+ "text": "
+ ###### To audit using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint.
+ 2. Click to expand Policies select Access control.
+ 3. Select Apps that don't use modern authentication and ensure that it is set to Block access.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.1",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure modern authentication for SharePoint applications is required",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_modern_authentication_for_apps_not_required",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-external-content-sharing-not-restricted.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-external-content-sharing-not-restricted.json
new file mode 100644
index 00000000..741cc2a1
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-external-content-sharing-not-restricted.json
@@ -0,0 +1,110 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure OneDrive content sharing is restricted",
+ "description": "
+ This setting governs the global permissiveness of OneDrive content sharing in the organization.
+ OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint.
+ The recommended state is Only people in your organization.
+ ",
+ "rationale": "OneDrive, designed for end-user cloud storage, inherently provides less oversight and control compared to SharePoint, which often involves additional content overseers or site administrators. This autonomy can lead to potential risks such as inadvertent sharing of privileged information by end users. Restricting external OneDrive sharing will require users to transfer content to SharePoint folders first which have those tighter controls.",
+ "impact": "Users will be required to take additional steps to share OneDrive content or use other official channels.",
+ "remediation": {
+ "text": "",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/sharepoint/dev/embedded/concepts/app-concepts/sharing-and-perm#container-partition"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.4",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "table": null,
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": false,
+ "showModalButton": false,
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure OneDrive content sharing is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_onedrive_content_sharing_not_restricted",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-sync-restricted-for-unmanaged-devices.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-sync-restricted-for-unmanaged-devices.json
new file mode 100644
index 00000000..4da01513
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-onedrive-sync-restricted-for-unmanaged-devices.json
@@ -0,0 +1,119 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure OneDrive sync is restricted for unmanaged devices",
+ "description": "
+ Microsoft OneDrive allows users to sign in their cloud tenant account and begin syncing select folders or the entire contents of OneDrive to a local computer. By default, this includes any computer with OneDrive already installed, whether it is Azure Domain Joined or Active Directory Domain joined.
+ The recommended state for this setting is `Allow syncing only on computers joined to specific domains Enabled: Specify the AD domain GUID(s)`.
+ ",
+ "rationale": "
+ Unmanaged devices pose a risk, since their security cannot be verified through existing security policies, brokers or endpoint protection. Allowing users to sync data to these devices takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked.
+ **Note** : This setting is only applicable to Active Directory domains when operating in a hybrid configuration. It does not apply to Entra ID domains. If there are devices which are only Entra ID joined, consider using a Conditional Access Policy instead.
+ ",
+ "impact": "Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Click Settings then select OneDrive - Sync.
+ 3. Check the Allow syncing only on computers joined to specific domains.
+ 4. Use the Get-ADDomain PowerShell command on the on-premises server to obtain
+ the GUID for each on-premises domain.
+ 5. Click Save.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams",
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.3.2",
+ "profile": "E3 Level 2"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure OneDrive sync is restricted for unmanaged devices",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_onedrive_sync_restricted_for_unmanaged_devices",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-reauthentication-with-verification-code-disabled.json b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-reauthentication-with-verification-code-disabled.json
new file mode 100644
index 00000000..1dcb9f82
--- /dev/null
+++ b/rules/findings/Microsoft365/SharePoint Online/CIS3.1/sharepoint-reauthentication-with-verification-code-disabled.json
@@ -0,0 +1,114 @@
+{
+ "args": [
+
+ ],
+ "provider": "Microsoft365",
+ "serviceType": "SharePoint Online",
+ "serviceName": "Microsoft 365",
+ "displayName": "Ensure reauthentication with verification code is restricted",
+ "description": "
+ This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days.
+ The recommended state is 15 or less.
+ ",
+ "rationale": "By increasing the frequency of times guests need to reauthenticate this ensures guest user access to data is not prolonged beyond an acceptable amount of time.",
+ "impact": "Guests who use Microsoft 365 in their organization can sign in using their work or school account to access the site or document. After the one-time passcode for verification has been entered for the first time, guests will authenticate with their work or school account and have a guest account created in the host's organization.",
+ "remediation": {
+ "text": "
+ ###### To remediate using the UI:
+ 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
+ 2. Click to expand Policies > Sharing.
+ 3. Scroll to and expand More external sharing settings.
+ 4. Set People who use a verification code must reauthenticate after this many days to 15 or less.
+ ",
+ "code": {
+ "powerShell": null,
+ "iac": null,
+ "terraform": null,
+ "other": null
+ }
+ },
+ "recommendation": null,
+ "references": [
+ "https://learn.microsoft.com/en-US/sharepoint/what-s-new-in-sharing-in-targeted-release?WT.mc_id=365AdminCSH_spo",
+ "https://learn.microsoft.com/en-US/sharepoint/turn-external-sharing-on-or-off?WT.mc_id=365AdminCSH_spo#change-the-organization-level-external-sharing-setting",
+ "https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations Benchmark",
+ "version": "3.1.0",
+ "reference": "7.2.10",
+ "profile": "E3 Level 1"
+ }
+ ],
+ "level": "medium",
+ "tags": [
+ ],
+ "rule": {
+ "path": "",
+ "subPath": null,
+ "selectCondition": {
+
+ },
+ "query": [
+ ],
+ "shouldExist": null,
+ "returnObject": null,
+ "removeIfNotExists": null
+ },
+ "output": {
+ "html": {
+ "data": {
+ "expandObject": null
+ },
+ "table": "Normal",
+ "decorate": [
+
+ ],
+ "emphasis": [
+
+ ],
+ "actions": {
+ "objectData": {
+ "properties": [
+ "*"
+ ],
+ "expandObject": null,
+ "limit": null
+ },
+ "showGoToButton": "True",
+ "showModalButton": "True",
+ "directLink": null
+ }
+ },
+ "text": {
+ "data": {
+ "properties": {
+
+ },
+ "expandObject": null
+ },
+ "status": {
+ "keyName": [
+
+ ],
+ "message": "Ensure reauthentication with verification code is restricted",
+ "defaultMessage": null
+ },
+ "properties": {
+ "resourceName": null,
+ "resourceId": null,
+ "resourceType": null
+ },
+ "onlyStatus": false
+ }
+ },
+ "idSuffix": "spo_reauthentication_with_verification_code_not_enabled",
+ "notes": [
+
+ ],
+ "categories": [
+
+ ]
+}
+
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-data-classification-policy-disabled.json b/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-data-classification-policy-disabled.json
deleted file mode 100644
index c1dd1eea..00000000
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-data-classification-policy-disabled.json
+++ /dev/null
@@ -1,126 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "SharePoint Online",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure SharePoint Online Information Protection policies are set up and used",
- "description": "Consider to set up and use SharePoint Online data classification policies on data stored in your SharePoint Online sites.",
- "rationale": "The policies will help categorize your most important data so you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.",
- "impact": "Creation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.",
- "remediation": {
- "text": "###### To set up data classification policies, use the Microsoft 365 Admin Center:\r\n\t\t\t\t\t1. Under `Admin centers` select `Compliance` to open the `Microsoft 365 compliance center`.\r\n\t\t\t\t\t2. Under `Solutions` click `Information protection`\r\n\t\t\t\t\t3. Select `Labels` tab\r\n\t\t\t\t\t4. Click `Create a label` to create a label.\r\n\t\t\t\t\t5. Select the label and click on the `Publish` label\r\n\t\t\t\t\t6. Fill out the forms to create the policy",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/microsoft-365/compliance/create-apply-retention-labels?view=o365-worldwide",
- "https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "3.2"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 3.2"
- ],
- "rule": {
- "path": "o365_exo_label_policy",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "Name",
- "ne",
- "Global sensitivity label policy"
- ],
- [
- "Enabled",
- "eq",
- "false"
- ]
- ],
- "operator": "or"
- }
- ]
- }
- ],
- "shouldExist": "true",
- "returnObject": {
- "operationName": "Sensitivity Label Policy",
- "Status": "DoesNotExists"
- },
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "table": null,
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": false,
- "showModalButton": false
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure SharePoint Online Information Protection policies are set up and used",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sps_data_classification_policy_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-modern-authentication-disabled.json b/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-modern-authentication-disabled.json
deleted file mode 100644
index 35cb5e9a..00000000
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-online-modern-authentication-disabled.json
+++ /dev/null
@@ -1,120 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "SharePoint Online",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure modern authentication for SharePoint applications is required",
- "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third party SAML identity provider.",
- "rationale": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.",
- "impact": "Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior.",
- "remediation": {
- "text": "###### To set SharePoint settings, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Under `Admin centers` select `SharePoint`.\r\n\t\t\t\t\t2. Expand `Policies` then select `Access Control`.\r\n\t\t\t\t\t3. Select `Apps that don\u0027t use modern authentication`.\r\n\t\t\t\t\t4. Select the radio button for `Block`.\r\n\t\t\t\t\t5. Click `Save`\r\n\t\t\t\t\t###### To set Apps that don\u0027t use modern authentication is set to Block, use the SharePoint Online PowerShell Module:\r\n\t\t\t\t\t1. Connect to SharePoint Online using `Connect-SPOService` -Url https://tenant-admin.sharepoint.com replacing `tenant` with your value.\r\n\t\t\t\t\t2. Run the following SharePoint Online PowerShell command:\r\n\t\t\t\t\t```Powershell\r\n\t\t\t\t\tSet-SPOTenant -LegacyAuthProtocolsEnabled $false\r\n\t\t\t\t\t```",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication",
- "https://stealthbits.com/blog/how-to-harden-you-sharepoint-online-environment-by-disabling-legacy-authentication/"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "1.4"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 1.4"
- ],
- "rule": {
- "path": "o365_spo_tenant_admin_details",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "LegacyAuthProtocolsEnabled",
- "eq",
- "true"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "RootSiteUrl": "Root Site",
- "SharingCapability": "Sharing Capability",
- "ConditionalAccessPolicy": "Conditional Access Policy",
- "LegacyAuthProtocolsEnabled": "Legacy Auth Enabled"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure modern authentication for SharePoint applications is required",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "o365_spo_modern_auth_disabled",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-sharing-links-missing-expiration.json b/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-sharing-links-missing-expiration.json
deleted file mode 100644
index eafaa72a..00000000
--- a/rules/findings/Microsoft365/SharepointOnline/CIS1.4/sharepoint-sharing-links-missing-expiration.json
+++ /dev/null
@@ -1,120 +0,0 @@
-{
- "args": [
-
- ],
- "provider": "Microsoft365",
- "serviceType": "SharePoint Online",
- "serviceName": "Microsoft 365",
- "displayName": "Ensure expiration time for external sharing links is set",
- "description": "Consider to restrict the length of time that anonymous access links are valid.",
- "rationale": "An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. Restricting how long the links are valid can reduce the window of opportunity for attackers.",
- "impact": "Enabling this feature will ensure that link expire within the defined number of days. This will have an affect on links that were previously not set with an expiration.",
- "remediation": {
- "text": "###### To set expiration for anonymous access links, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Log in as an SharePoint Administrator\r\n\t\t\t\t\t2. Navigate to \u003ca href=\"https://admin.microsoft.com\" target=\"_blank\"\u003eMicrosoft 365 administration portal\u003c/a\u003e, Click on Admin Centers and then SharePoint.\r\n\t\t\t\t\t3. Expand `Policies` then click `Sharing`.\r\n\t\t\t\t\t4. Check `These links must expire within this many days`.\r\n\t\t\t\t\t5. Set to the desired number of days, such as `30`.\r\n\t\t\t\t\t6. Click `OK`.\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To set expiration for anonymous access links, you can also use SharePoint Online PowerShell\r\n\t\t\t\t\t1. Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com and replacing `tenant` with your value.\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tset-SPOTenant -RequireAnonymousLinksExpireInDays 30\r\n\t\t\t\t\t```",
- "code": {
- "powerShell": null,
- "iac": null,
- "terraform": null,
- "other": null
- }
- },
- "recommendation": null,
- "references": [
- "https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
- "https://docs.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-limit-sharing?view=o365-worldwide"
- ],
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.3.0",
- "reference": "6.3"
- }
- ],
- "level": "medium",
- "tags": [
- "Microsoft 365 CIS benchmark 6.3"
- ],
- "rule": {
- "path": "o365_spo_tenant_details",
- "subPath": null,
- "selectCondition": {
-
- },
- "query": [
- {
- "filter": [
- {
- "conditions": [
- [
- "RequireAnonymousLinksExpireInDays",
- "eq",
- "-1"
- ]
- ]
- }
- ]
- }
- ],
- "shouldExist": null,
- "returnObject": null,
- "removeIfNotExists": null
- },
- "output": {
- "html": {
- "data": {
- "properties": {
- "AllowEditing": "Allow Editing",
- "AnyoneLinkTrackUsers": "Link Track Users",
- "ConditionalAccessPolicy": "Conditional Access Policy",
- "RequireAnonymousLinksExpireInDays": "Require Anonymous Links Expire In Days"
- },
- "expandObject": null
- },
- "table": "Normal",
- "decorate": [
-
- ],
- "emphasis": [
-
- ],
- "actions": {
- "objectData": {
- "expand": [
- "*"
- ],
- "limit": null
- },
- "showGoToButton": "True",
- "showModalButton": "True"
- }
- },
- "text": {
- "data": {
- "properties": {
-
- },
- "expandObject": null
- },
- "status": {
- "keyName": [
-
- ],
- "message": "Ensure expiration time for external sharing links is set",
- "defaultMessage": null
- },
- "properties": {
- "resourceName": null,
- "resourceId": null,
- "resourceType": null
- },
- "onlyStatus": false
- }
- },
- "idSuffix": "sps_sharing_links_missing_expiration",
- "notes": [
-
- ],
- "categories": [
-
- ]
-}
diff --git a/rules/rulesets/cis_azure_1.4.json b/rules/rulesets/cis_azure_1.4.json
deleted file mode 100644
index 4a47b0bd..00000000
--- a/rules/rulesets/cis_azure_1.4.json
+++ /dev/null
@@ -1,1749 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Azure based on CIS benchmark. The rules are used as a mechanism to evaluate the configuration of Azure resources and to determine whether controls within a standard are being adhered to. Rules are also divided into categories and subcategories according to the rule's type. This will ensures that Azure cloud will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft Azure Foundations",
- "version" : "1.4.0"
- },
- "rules": {
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.1"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.2"
- }
- ]
- }
- ],
- "aad-guest-users-present.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.3"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-reset-methods.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.5"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-mfa-reconfirm-days.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.6"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-users-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.7"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-admin-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.8"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.9"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-add-gallery-apps.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.10"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.11"
- }
- ]
- }
- ],
- "aad-guest-can-invite.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.13"
- }
- ]
- }
- ],
- "azure-activedirectory-restrict-users-ad-portal.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.14"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-access-group-features.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.15"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-create-security-groups.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.16"
- }
- ]
- }
- ],
- "azure-activedirectory-owners-can-manage-group-membership-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.17"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-create-o365-groups.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.18"
- }
- ]
- }
- ],
- "azure-activedirectory-devices-require-mfa-settings.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.19"
- }
- ]
- }
- ],
- "azure-subscription-custom-role-excessive-permissions.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.20"
- }
- ]
- }
- ],
- "aad-security-defaults-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.21"
- }
- ]
- }
- ],
- "azure-subscription-missing-custom-lock-role.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.22"
- }
- ]
- }
- ],
- "azure-defender-missing-vm-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.1"
- }
- ]
- }
- ],
- "azure-defender-missing-appservice-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.2"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-server-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.3"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-server-on-machines-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.4"
- }
- ]
- }
- ],
- "azure-defender-missing-storageaccount-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.5"
- }
- ]
- }
- ],
- "azure-defender-missing-kubernetes-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.6"
- }
- ]
- }
- ],
- "azure-defender-missing-container-registries-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.7"
- }
- ]
- }
- ],
- "azure-defender-missing-keyvault-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.8"
- }
- ]
- }
- ],
- "windows-defender-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.9"
- }
- ]
- }
- ],
- "cloud-app-security-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.10"
- }
- ]
- }
- ],
- "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.11"
- }
- ]
- }
- ],
- "azure-asc-monitor-adaptive-application-disabled-alert.json": [
- {
- "args": [
- "adaptiveApplicationControlsMonitoringEffect",
- "Adaptive Application Safelisting Monitoring"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "webApplicationFirewallMonitoringEffect",
- "Web Application Firewall recommendations"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "diskEncryptionMonitoringEffect",
- "Disk encryption recommendations for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "jitNetworkAccessMonitoringEffect",
- "JIT Network Access for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "endpointProtectionMonitoringEffect",
- "Endpoint protection recommendations for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "nextGenerationFirewallMonitoringEffect",
- "Next generation firewall recommendations for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "networkSecurityGroupsMonitoringEffect",
- "Network security group recommendations for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "systemConfigurationsMonitoringEffect",
- "OS vulnerability recommendations for virtual machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "sqlAuditingMonitoringEffect",
- "SQL auditing recommendations"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "sqlEncryptionMonitoringEffect",
- "SQL encryption recommendations"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "storageEncryptionMonitoringEffect",
- "Storage encryption recommendations"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "systemUpdatesMonitoringEffect",
- "System Updates for Virtual Machines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "vulnerabilityAssesmentMonitoringEffect",
- "Vulnerability assessments for Virtual Machines"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-security-contact-mail-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.13"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-high-alerts-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.14"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-to-owners-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "2.15"
- }
- ]
- }
- ],
- "azure-storage-accounts-https-traffic-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.1"
- }
- ]
- }
- ],
- "azure-storage-accounts-key-rotation-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.2"
- }
- ]
- }
- ],
- "azure-storage-accounts-queue-logging-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.3"
- }
- ]
- }
- ],
- "azure-storage-accounts-public-access-level.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.5"
- }
- ]
- }
- ],
- "azure-storage-accounts-access-all-networks.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.6"
- }
- ]
- }
- ],
- "azure-storage-accounts-trusted-ms-services-bypass.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.7"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-data-protection-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.8"
- }
- ]
- }
- ],
- "azure-storage-accounts-lack-cmk.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.9"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.10"
- }
- ]
- }
- ],
- "azure-storage-accounts-table-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.11"
- }
- ]
- }
- ],
- "azure-storage-accounts-minimum-tls-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "3.12"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.1"
- }
- ]
- }
- ],
- "azure-sql-server-data-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.2"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-retention.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.1.3"
- }
- ]
- }
- ],
- "azure-sql-server-advanced-threat-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.1"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.2"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-periodic-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.3"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-send-reports-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.4"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.2.5"
- }
- ]
- }
- ],
- "azure-postgresql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.1"
- }
- ]
- }
- ],
- "azure-postgresql-log-checkpoints-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.2"
- }
- ]
- }
- ],
- "azure-postgresql-log-connections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.3"
- }
- ]
- }
- ],
- "azure-postgresql-log-disconnections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.4"
- }
- ]
- }
- ],
- "azure-postgresql-connection-throttling-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.5"
- }
- ]
- }
- ],
- "azure-postgresql-log-retention-days.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.6"
- }
- ]
- }
- ],
- "azure-postgresql-allow-access-azure-services-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.7"
- }
- ]
- }
- ],
- "azure-postgresql-infrastructure-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.3.8"
- }
- ]
- }
- ],
- "azure-mysql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.4.1"
- }
- ]
- }
- ],
- "azure-mysql-latest-tls-version-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.4.2"
- }
- ]
- }
- ],
- "azure-sql-server-active-directory-admin-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.5"
- }
- ]
- }
- ],
- "azure-sql-server-tdp-own-key-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "4.6"
- }
- ]
- }
- ],
- "azure-diagnostic-settings-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.1"
- }
- ]
- }
- ],
- "azure-diagnostic-settings-missing-categories.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.2"
- }
- ]
- }
- ],
- "azure-log-profile-container-public-access.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.3"
- }
- ]
- }
- ],
- "azure-log-profile-storage-account-byok-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.4"
- }
- ]
- }
- ],
- "azure-keyvault-logging-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "5.1.5"
- }
- ]
- }
- ],
- "azure-activity-log-disabled-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "True",
- "1.4.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Policy Assignment",
- "Microsoft.Authorization/policyAssignments/delete",
- "True",
- "1.4.0",
- "5.2.2",
- "Monitoring for delete policy assignment events gives insight into changes done in \"azure policy - assignments\" and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "True",
- "1.4.0",
- "5.2.3",
- "Monitoring for \"Create\" or \"Update Network Security Group\" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "True",
- "1.4.0",
- "5.2.4",
- "Monitoring for \"Delete Network Security Group\" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "True",
- "1.4.0",
- "5.2.5",
- "Monitoring for Create or Update \"Network Security Group\" Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "True",
- "1.4.0",
- "5.2.6",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "True",
- "1.4.0",
- "5.2.7",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "True",
- "1.4.0",
- "5.2.8",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "True",
- "1.4.0",
- "5.2.9",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-activity-log-missing-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "",
- "1.4.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "",
- "1.4.0",
- "5.2.2",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "",
- "1.4.0",
- "5.2.4",
- "Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "",
- "1.4.0",
- "5.2.5",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "",
- "1.4.0",
- "5.2.3",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "",
- "1.4.0",
- "5.2.6",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "",
- "1.4.0",
- "5.2.7",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "",
- "1.4.0",
- "5.2.8",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Update Security Policy",
- "Microsoft.Security/policies/write",
- "",
- "1.4.0",
- "5.2.9",
- "Monitoring for Update Security Policy events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-port-open.json": [
- {
- "args": [
- "ALL",
- "*",
- "all ports open to all"
- ],
- "enabled": true,
- "level": "high"
- },
- {
- "args": [
- "ALL",
- "0-65535",
- "all ports open to all"
- ],
- "enabled": true,
- "level": "high"
- }
- ],
- "azure-nsg-tcp-ports-open.json": [
- {
- "args": [
- "RDP",
- "3389",
- "Disable RDP access on network security groups from the Internet.",
- "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure",
- "1.4.0",
- "6.1",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "FTP",
- "21",
- "Disable FTP access on network security groups from the Internet.",
- "The potential security problem with using FTP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SSH",
- "22",
- "Disable SSH access on network security groups from the Internet.",
- "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "1.4.0",
- "6.2",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "TELNET",
- "23",
- "Disable Telnet access on network security groups from the Internet.",
- "The potential security problem with using TELNET over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "1433",
- "Disable SQL access on network security groups from the Internet.",
- "The potential security problem with using SQL over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-sql-fw-allow-all.json": [
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "255.255.255.255",
- "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
- "1.4.0",
- "6.3"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "0.0.0.0",
- "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
- "1.4.0",
- "6.3"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-network-watcher-flow-log-retention.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "6.4"
- }
- ]
- }
- ],
- "azure-network-watcher-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "6.5"
- }
- ]
- }
- ],
- "azure-nsg-udp-ports-open.json": [
- {
- "args": [
- "DNS",
- "53",
- "Disable DNS access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.4.0",
- "6.6",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "NTP",
- "123",
- "Disable NTP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.4.0",
- "6.6",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SNMP",
- "161",
- "Disable SNMP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.4.0",
- "6.6",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "LDAP",
- "389",
- "Disable LDAP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.4.0",
- "6.6",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "UPnP/SSDP",
- "1900",
- "Disable UPnP/SSDP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.4.0",
- "6.6",
- ""
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-os-managed-disk-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.1"
- }
- ]
- }
- ],
- "azure-vm-os-data-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.2"
- }
- ]
- }
- ],
- "azure-unattached-disk-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.3"
- }
- ]
- }
- ],
- "azure-vm-approved-extensions.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.4"
- }
- ]
- }
- ],
- "azure-vm-missing-critical-updates.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.5"
- }
- ]
- }
- ],
- "azure-vm-missing-moderate-updates.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.5"
- }
- ]
- }
- ],
- "azure-vm-antimalware-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.6"
- }
- ]
- }
- ],
- "azure-os-disk-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "7.7"
- }
- ]
- }
- ],
- "azure-keyvault-keys-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.1"
- }
- ]
- }
- ],
- "azure-keyvault-secrets-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.3"
- }
- ]
- }
- ],
- "azure-subscription-missing-lock.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.5"
- }
- ]
- }
- ],
- "azure-keyvault-recoverable.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "8.6"
- }
- ]
- }
- ],
- "azure-app-services-auth-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.1"
- }
- ]
- }
- ],
- "azure-app-services-https-only-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.2"
- }
- ]
- }
- ],
- "azure-app-services-latest-tls-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.3"
- }
- ]
- }
- ],
- "azure-app-services-client-certificate-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.4"
- }
- ]
- }
- ],
- "azure-app-services-ad-managed-identity-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.5"
- }
- ]
- }
- ],
- "azure-app-services-latest-php-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.6"
- }
- ]
- }
- ],
- "azure-app-services-latest-python-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.7"
- }
- ]
- }
- ],
- "azure-app-services-latest-java-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.8"
- }
- ]
- }
- ],
- "azure-app-services-latest-http-version-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.9"
- }
- ]
- }
- ],
- "azure-app-services-ftp-deployment-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.10"
- }
- ]
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_azure_1.5.json b/rules/rulesets/cis_azure_1.5.json
deleted file mode 100644
index 515285c2..00000000
--- a/rules/rulesets/cis_azure_1.5.json
+++ /dev/null
@@ -1,1716 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Azure based on CIS benchmark. The rules are used as a mechanism to evaluate the configuration of Azure resources and to determine whether controls within a standard are being adhered to. Rules are also divided into categories and subcategories according to the rule's type. This will ensures that Azure cloud will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft Azure Foundations",
- "version" : "1.5.0"
- },
- "rules": {
- "aad-security-defaults-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.1.1"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.1.2"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-high-privileged-users-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "aad-ensure-mfa-for-users-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "aad-ensure-mfa-for-risky-signs-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "aad-ensure-mfa-for-azure-management-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "aad-guest-users-present.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "1.3"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-reset-methods.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.6"
- }
- ]
- }
- ],
- "aad-bad-password-list-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-activedirectory-sspr-mfa-reconfirm-days.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.8"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-users-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.9"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-admin-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.10"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.12"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-add-gallery-apps.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.13"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.14"
- }
- ]
- }
- ],
- "azure-ad-guest-object-restriction-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-ad-guest-invite-restriction-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-activedirectory-restrict-users-ad-portal.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.17"
- }
- ]
- }
- ],
- "azure-ad-group-features-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-ad-users-can-create-security-groups.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-activedirectory-owners-can-manage-group-membership-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.20"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-create-o365-groups.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.21"
- }
- ]
- }
- ],
- "azure-activedirectory-devices-require-mfa-settings.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.22"
- }
- ]
- }
- ],
- "azure-subscription-custom-role-excessive-permissions.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.23"
- }
- ]
- }
- ],
- "azure-subscription-missing-custom-lock-role.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "1.24"
- }
- ]
- }
- ],
- "azure-subscription-permit-no-one-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-defender-missing-vm-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.1"
- }
- ]
- }
- ],
- "azure-defender-missing-appservice-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.2"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-database-protection.json": [
- {
- "args": [
- "SqlServers"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SqlServerVirtualMachines"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "OpenSourceRelationalDatabases"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "CosmosDbs"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-defender-missing-sql-server-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.4"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-server-on-machines-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.5"
- }
- ]
- }
- ],
- "azure-defender-missing-osrd-protection.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-defender-missing-storageaccount-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.7"
- }
- ]
- }
- ],
- "azure-defender-missing-container-registries-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.8"
- }
- ]
- }
- ],
- "azure-defender-missing-cosmodb-protection.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-defender-missing-keyvault-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.10"
- }
- ]
- }
- ],
- "azure-defender-missing-dns-protection.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-defender-missing-iot-protection.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-defender-missing-rm-protection.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.2.1"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-to-owners-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.3.1"
- }
- ]
- }
- ],
- "azure-security-contact-mail-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.3.2"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-high-alerts-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.3.3"
- }
- ]
- }
- ],
- "cloud-app-security-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.4.1"
- }
- ]
- }
- ],
- "windows-defender-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.4.2"
- }
- ]
- }
- ],
- "azure-storage-accounts-https-traffic-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.1"
- }
- ]
- }
- ],
- "azure-storage-accounts-infrastructure-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-storage-accounts-key-rotation-reminder-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-storage-accounts-key-rotation-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.4"
- }
- ]
- }
- ],
- "azure-storage-accounts-queue-logging-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.5"
- }
- ]
- }
- ],
- "azure-storage-accounts-public-access-level.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.7"
- }
- ]
- }
- ],
- "azure-storage-accounts-access-all-networks.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.8"
- }
- ]
- }
- ],
- "azure-storage-accounts-trusted-ms-services-bypass.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.9"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-data-protection-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.11"
- }
- ]
- }
- ],
- "azure-storage-accounts-lack-cmk.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.12"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.13"
- }
- ]
- }
- ],
- "azure-storage-accounts-table-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.14"
- }
- ]
- }
- ],
- "azure-storage-accounts-minimum-tls-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "3.15"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.1"
- }
- ]
- }
- ],
- "azure-sql-fw-allow-all.json": [
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "255.255.255.255",
- "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
- "1.5.0",
- "4.2"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "0.0.0.0",
- "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
- "1.5.0",
- "4.2"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-sql-server-auditing-retention.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.2"
- }
- ]
- }
- ],
- "azure-sql-server-tdp-own-key-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.3"
- }
- ]
- }
- ],
- "azure-sql-server-active-directory-admin-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.4"
- }
- ]
- }
- ],
- "azure-sql-server-data-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.5"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-retention.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.1.6"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.2.2"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-periodic-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.2.3"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-send-reports-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.2.4"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.2.5"
- }
- ]
- }
- ],
- "azure-postgresql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.1"
- }
- ]
- }
- ],
- "azure-postgresql-log-checkpoints-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.2"
- }
- ]
- }
- ],
- "azure-postgresql-log-connections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.3"
- }
- ]
- }
- ],
- "azure-postgresql-log-disconnections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.4"
- }
- ]
- }
- ],
- "azure-postgresql-connection-throttling-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.5"
- }
- ]
- }
- ],
- "azure-postgresql-log-retention-days.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.6"
- }
- ]
- }
- ],
- "azure-postgresql-allow-access-azure-services-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.7"
- }
- ]
- }
- ],
- "azure-postgresql-infrastructure-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.3.8"
- }
- ]
- }
- ],
- "azure-mysql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.4.1"
- }
- ]
- }
- ],
- "azure-mysql-latest-tls-version-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "4.4.2"
- }
- ]
- }
- ],
- "azure-mysql-audit-log-parameter-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-mysql-audit-log-events-parameter-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-diagnostic-settings-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.1"
- }
- ]
- }
- ],
- "azure-diagnostic-settings-missing-categories.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.2"
- }
- ]
- }
- ],
- "azure-log-profile-container-public-access.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.3"
- }
- ]
- }
- ],
- "azure-log-profile-storage-account-byok-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.4"
- }
- ]
- }
- ],
- "azure-keyvault-logging-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "5.1.5"
- }
- ]
- }
- ],
- "azure-app-services-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "azure-activity-log-disabled-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "True",
- "1.5.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Policy Assignment",
- "Microsoft.Authorization/policyAssignments/delete",
- "True",
- "1.5.0",
- "5.2.2",
- "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "True",
- "1.5.0",
- "5.2.3",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "True",
- "1.5.0",
- "5.2.4",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "True",
- "1.5.0",
- "5.2.5",
- "Monitoring for Create or Update 'Network Security Group' Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "True",
- "1.5.0",
- "5.2.6",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "True",
- "1.5.0",
- "5.2.7",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "True",
- "1.5.0",
- "5.2.8",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "True",
- "1.5.0",
- "5.2.9",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-activity-log-missing-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "",
- "1.5.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "",
- "1.5.0",
- "5.2.2",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "",
- "1.5.0",
- "5.2.4",
- "Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "",
- "1.5.0",
- "5.2.5",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "",
- "1.5.0",
- "5.2.3",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "",
- "1.5.0",
- "5.2.6",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "",
- "1.5.0",
- "5.2.7",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "",
- "1.5.0",
- "5.2.8",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Update Security Policy",
- "Microsoft.Security/policies/write",
- "",
- "1.5.0",
- "5.2.9",
- "Monitoring for Update Security Policy events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-tcp-ports-open.json": [
- {
- "args": [
- "RDP",
- "3389",
- "Disable RDP access on network security groups from the Internet.",
- "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure",
- "1.5.0",
- "6.1",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "FTP",
- "21",
- "Disable FTP access on network security groups from the Internet.",
- "The potential security problem with using FTP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SSH",
- "22",
- "Disable SSH access on network security groups from the Internet.",
- "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "1.5.0",
- "6.2",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "TELNET",
- "23",
- "Disable Telnet access on network security groups from the Internet.",
- "The potential security problem with using TELNET over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "1433",
- "Disable SQL access on network security groups from the Internet.",
- "The potential security problem with using SQL over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-udp-ports-open.json": [
- {
- "args": [
- "DNS",
- "53",
- "Disable DNS access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.5.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "NTP",
- "123",
- "Disable NTP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.5.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SNMP",
- "161",
- "Disable SNMP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.5.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "LDAP",
- "389",
- "Disable LDAP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.5.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "UPnP/SSDP",
- "1900",
- "Disable UPnP/SSDP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "1.5.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-port-open.json": [
- {
- "args": [
- "ALL",
- "*",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "1.5.0",
- "6.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- },
- {
- "args": [
- "ALL",
- "0-65535",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "1.5.0",
- "6.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- }
- ],
- "azure-network-watcher-flow-log-retention.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "6.5"
- }
- ]
- }
- ],
- "azure-network-watcher-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "6.6"
- }
- ]
- }
- ],
- "azure-os-managed-disk-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.1"
- }
- ]
- }
- ],
- "azure-vm-os-data-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.2"
- }
- ]
- }
- ],
- "azure-unattached-disk-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.3"
- }
- ]
- }
- ],
- "azure-vm-approved-extensions.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.4"
- }
- ]
- }
- ],
- "azure-vm-antimalware-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.5"
- }
- ]
- }
- ],
- "azure-os-disk-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "7.6"
- }
- ]
- }
- ],
- "azure-keyvault-keys-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "8.1"
- }
- ]
- }
- ],
- "azure-keyvault-secrets-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "8.3"
- }
- ]
- }
- ],
- "azure-keyvault-recoverable.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "8.5"
- }
- ]
- }
- ],
- "azure-app-services-auth-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.1"
- }
- ]
- }
- ],
- "azure-app-services-https-only-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.2"
- }
- ]
- }
- ],
- "azure-app-services-latest-tls-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.3"
- }
- ]
- }
- ],
- "azure-app-services-client-certificate-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.4"
- }
- ]
- }
- ],
- "azure-app-services-ad-managed-identity-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.5"
- }
- ]
- }
- ],
- "azure-app-services-latest-php-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.6"
- }
- ]
- }
- ],
- "azure-app-services-latest-python-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.7"
- }
- ]
- }
- ],
- "azure-app-services-latest-java-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.8"
- }
- ]
- }
- ],
- "azure-app-services-latest-http-version-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "9.9"
- }
- ]
- }
- ],
- "azure-app-services-ftp-deployment-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.4.0",
- "reference": "9.10"
- }
- ]
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_azure_2.0.json b/rules/rulesets/cis_azure_2.0.json
deleted file mode 100644
index ee0674b6..00000000
--- a/rules/rulesets/cis_azure_2.0.json
+++ /dev/null
@@ -1,1903 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Azure based on CIS benchmark. The rules are used as a mechanism to evaluate the configuration of Azure resources and to determine whether controls within a standard are being adhered to. Rules are also divided into categories and subcategories according to the rule's type. This will ensures that Azure cloud will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft Azure Foundations",
- "version" : "2.0.0"
- },
- "rules": {
- "aad-security-defaults-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.1.1"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.1.2"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-high-privileged-users-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.2.3"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-users-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.2.4"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-risky-signs-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.2.5"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-azure-management-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.2.6"
- }
- ]
- }
- ],
- "aad-guest-users-present.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.5"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-reset-methods.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.6"
- }
- ]
- }
- ],
- "aad-bad-password-list-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.7"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-mfa-reconfirm-days.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.8"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-users-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.9"
- }
- ]
- }
- ],
- "azure-activedirectory-sspr-notify-admin-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.10"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.11"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.12"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-add-gallery-apps.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.13"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.14"
- }
- ]
- }
- ],
- "azure-ad-guest-object-restriction-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.15"
- }
- ]
- }
- ],
- "azure-ad-guest-invite-restriction-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.16"
- }
- ]
- }
- ],
- "azure-activedirectory-restrict-users-ad-portal.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.17"
- }
- ]
- }
- ],
- "azure-ad-group-features-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.18"
- }
- ]
- }
- ],
- "azure-ad-users-can-create-security-groups.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.19"
- }
- ]
- }
- ],
- "azure-activedirectory-owners-can-manage-group-membership-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.20"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-create-o365-groups.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.21"
- }
- ]
- }
- ],
- "azure-activedirectory-devices-require-mfa-settings.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.22"
- }
- ]
- }
- ],
- "azure-subscription-custom-role-excessive-permissions.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.23"
- }
- ]
- }
- ],
- "azure-subscription-missing-custom-lock-role.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.24"
- }
- ]
- }
- ],
- "azure-subscription-permit-no-one-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "1.25"
- }
- ]
- }
- ],
- "azure-defender-missing-vm-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.1"
- }
- ]
- }
- ],
- "azure-defender-missing-appservice-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.2"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-database-protection.json": [
- {
- "args": [
- "SqlServers"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.3"
- }
- ]
- },
- {
- "args": [
- "SqlServerVirtualMachines"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.5"
- }
- ]
- },
- {
- "args": [
- "OpenSourceRelationalDatabases"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.6"
- }
- ]
- },
- {
- "args": [
- "CosmosDbs"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-defender-missing-sql-server-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.4"
- }
- ]
- }
- ],
- "azure-defender-missing-sql-server-on-machines-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "2.1.5"
- }
- ]
- }
- ],
- "azure-defender-missing-osrd-protection.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.6"
- }
- ]
- }
- ],
- "azure-defender-missing-storageaccount-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.7"
- }
- ]
- }
- ],
- "azure-defender-missing-container-registries-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.8"
- }
- ]
- }
- ],
- "azure-defender-missing-cosmodb-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.9"
- }
- ]
- }
- ],
- "azure-defender-missing-keyvault-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.10"
- }
- ]
- }
- ],
- "azure-defender-missing-dns-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.11"
- }
- ]
- }
- ],
- "azure-defender-missing-rm-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.12"
- }
- ]
- }
- ],
- "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.15"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-to-owners-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.18"
- }
- ]
- }
- ],
- "azure-security-contact-mail-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.19"
- }
- ]
- }
- ],
- "azure-security-contact-send-email-high-alerts-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.20"
- }
- ]
- }
- ],
- "cloud-app-security-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.21"
- }
- ]
- }
- ],
- "windows-defender-missing-security-center-integration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.1.22"
- }
- ]
- }
- ],
- "azure-defender-missing-iot-protection.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "2.2.1"
- }
- ]
- }
- ],
- "azure-storage-accounts-https-traffic-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.1"
- }
- ]
- }
- ],
- "azure-storage-accounts-infrastructure-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.2"
- }
- ]
- }
- ],
- "azure-storage-accounts-key-rotation-reminder-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.3"
- }
- ]
- }
- ],
- "azure-storage-accounts-key-rotation-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.4"
- }
- ]
- }
- ],
- "azure-storage-accounts-queue-logging-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.5"
- }
- ]
- }
- ],
- "azure-storage-accounts-public-access-level.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.7"
- }
- ]
- }
- ],
- "azure-storage-accounts-access-all-networks.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.8"
- }
- ]
- }
- ],
- "azure-storage-accounts-trusted-ms-services-bypass.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.9"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-data-protection-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.11"
- }
- ]
- }
- ],
- "azure-storage-accounts-lack-cmk.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.12"
- }
- ]
- }
- ],
- "azure-storage-accounts-blob-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.13"
- }
- ]
- }
- ],
- "azure-storage-accounts-table-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.14"
- }
- ]
- }
- ],
- "azure-storage-accounts-minimum-tls-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "3.15"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "4.1.1"
- }
- ]
- }
- ],
- "azure-sql-fw-allow-all.json": [
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "255.255.255.255",
- "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
- "2.0.0",
- "4.2"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "0.0.0.0",
- "0.0.0.0",
- "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
- "2.2.0",
- "4.2"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-sql-server-tdp-own-key-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "4.1.3"
- }
- ]
- }
- ],
- "azure-sql-server-active-directory-admin-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "4.1.4"
- }
- ]
- }
- ],
- "azure-sql-server-data-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.2.0",
- "reference": "4.1.5"
- }
- ]
- }
- ],
- "azure-sql-server-auditing-retention.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.1.6"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.2.2"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-periodic-assessments-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.2.3"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-send-reports-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.2.4"
- }
- ]
- }
- ],
- "azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.2.5"
- }
- ]
- }
- ],
- "azure-postgresql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.1"
- }
- ]
- }
- ],
- "azure-postgresql-log-checkpoints-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.2"
- }
- ]
- }
- ],
- "azure-postgresql-log-connections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.3"
- }
- ]
- }
- ],
- "azure-postgresql-log-disconnections-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.4"
- }
- ]
- }
- ],
- "azure-postgresql-connection-throttling-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.5"
- }
- ]
- }
- ],
- "azure-postgresql-log-retention-days.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.6"
- }
- ]
- }
- ],
- "azure-postgresql-allow-access-azure-services-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.7"
- }
- ]
- }
- ],
- "azure-postgresql-infrastructure-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.3.8"
- }
- ]
- }
- ],
- "azure-mysql-enforcessl-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.4.1"
- }
- ]
- }
- ],
- "azure-mysql-latest-tls-version-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.4.2"
- }
- ]
- }
- ],
- "azure-mysql-audit-log-parameter-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.4.3"
- }
- ]
- }
- ],
- "azure-mysql-audit-log-events-parameter-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "4.4.4"
- }
- ]
- }
- ],
- "azure-diagnostic-settings-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.1"
- }
- ]
- }
- ],
- "azure-diagnostic-settings-missing-categories.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.2"
- }
- ]
- }
- ],
- "azure-log-profile-container-public-access.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.3"
- }
- ]
- }
- ],
- "azure-log-profile-storage-account-byok-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.4"
- }
- ]
- }
- ],
- "azure-keyvault-logging-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.5"
- }
- ]
- }
- ],
- "azure-app-services-logging-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "5.1.7"
- }
- ]
- }
- ],
- "azure-activity-log-disabled-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "True",
- "2.0.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Policy Assignment",
- "Microsoft.Authorization/policyAssignments/delete",
- "True",
- "2.0.0",
- "5.2.2",
- "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "True",
- "2.0.0",
- "5.2.3",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "True",
- "2.0.0",
- "5.2.4",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "True",
- "2.0.0",
- "5.2.5",
- "Monitoring for Create or Update 'Network Security Group' Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "True",
- "2.0.0",
- "5.2.6",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "True",
- "2.0.0",
- "5.2.7",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "True",
- "2.0.0",
- "5.2.8",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "True",
- "2.0.0",
- "5.2.9",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-activity-log-missing-alerts.json": [
- {
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "",
- "2.0.0",
- "5.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "",
- "2.0.0",
- "5.2.3",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/write",
- "",
- "2.0.0",
- "5.2.3",
- "Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group Rule",
- "Microsoft.Network/networkSecurityGroups/securityRules/delete",
- "",
- "2.0.0",
- "5.2.4",
- "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "",
- "1.5.0",
- "5.2.3",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "",
- "2.0.0",
- "5.2.5",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "",
- "2.0.0",
- "5.2.6",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update or Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "",
- "2.0.0",
- "5.2.7",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Update Security Policy",
- "Microsoft.Security/policies/write",
- "",
- "2.0.0",
- "5.2.9",
- "Monitoring for Update Security Policy events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Create or Update Public IP Addresses rule",
- "Microsoft.Network/publicIPAddresses/write",
- "",
- "2.0.0",
- "5.2.9",
- "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "Delete Public IP Addresses rule",
- "Microsoft.Network/publicIPAddresses/delete",
- "",
- "2.0.0",
- "5.2.10",
- "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-tcp-ports-open.json": [
- {
- "args": [
- "RDP",
- "3389",
- "Disable RDP access on network security groups from the Internet.",
- "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure",
- "2.0.0",
- "6.1",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "FTP",
- "21",
- "Disable FTP access on network security groups from the Internet.",
- "The potential security problem with using FTP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SSH",
- "22",
- "Disable SSH access on network security groups from the Internet.",
- "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "2.0.0",
- "6.2",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "TELNET",
- "23",
- "Disable Telnet access on network security groups from the Internet.",
- "The potential security problem with using TELNET over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SQL",
- "1433",
- "Disable SQL access on network security groups from the Internet.",
- "The potential security problem with using SQL over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
- "",
- "",
- "monkey365 rule"
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-udp-ports-open.json": [
- {
- "args": [
- "DNS",
- "53",
- "Disable DNS access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "2.0.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "NTP",
- "123",
- "Disable NTP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "2.0.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "SNMP",
- "161",
- "Disable SNMP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "2.0.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "LDAP",
- "389",
- "Disable LDAP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "2.0.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- },
- {
- "args": [
- "UPnP/SSDP",
- "1900",
- "Disable UPnP/SSDP access on network security groups from the Internet.",
- "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
- "2.0.0",
- "6.3",
- ""
- ],
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-nsg-port-open.json": [
- {
- "args": [
- "ALL",
- "*",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "2.0.0",
- "6.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- },
- {
- "args": [
- "ALL",
- "0-65535",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "2.0.0",
- "6.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- }
- ],
- "azure-network-watcher-flow-log-retention.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "6.5"
- }
- ]
- }
- ],
- "azure-network-watcher-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "6.6"
- }
- ]
- }
- ],
- "azure-unassigned-public-ip-address.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-os-managed-disk-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.2"
- }
- ]
- }
- ],
- "azure-vm-os-data-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.3"
- }
- ]
- }
- ],
- "azure-unattached-disk-sse-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.4"
- }
- ]
- }
- ],
- "azure-vm-approved-extensions.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.5"
- }
- ]
- }
- ],
- "azure-vm-antimalware-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.6"
- }
- ]
- }
- ],
- "azure-os-disk-encryption-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "7.7"
- }
- ]
- }
- ],
- "azure-keyvault-keys-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "8.1"
- }
- ]
- }
- ],
- "azure-keyvault-secrets-expiration-set.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "1.5.0",
- "reference": "8.3"
- }
- ]
- }
- ],
- "azure-keyvault-recoverable.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "8.5"
- }
- ]
- }
- ],
- "azure-app-services-auth-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.1"
- }
- ]
- }
- ],
- "azure-app-services-https-only-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.2"
- }
- ]
- }
- ],
- "azure-app-services-latest-tls-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.3"
- }
- ]
- }
- ],
- "azure-app-services-client-certificate-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.4"
- }
- ]
- }
- ],
- "azure-app-services-ad-managed-identity-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.5"
- }
- ]
- }
- ],
- "azure-app-services-latest-php-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.6"
- }
- ]
- }
- ],
- "azure-app-services-latest-python-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.7"
- }
- ]
- }
- ],
- "azure-app-services-latest-java-version-missing.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.8"
- }
- ]
- }
- ],
- "azure-app-services-latest-http-version-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.9"
- }
- ]
- }
- ],
- "azure-app-services-ftp-deployment-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft Azure Foundations",
- "version": "2.0.0",
- "reference": "9.10"
- }
- ]
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_azure_3.0.json b/rules/rulesets/cis_azure_3.0.json
index 8f9043e0..fbbf202b 100644
--- a/rules/rulesets/cis_azure_3.0.json
+++ b/rules/rulesets/cis_azure_3.0.json
@@ -5,7 +5,7 @@
"version" : "3.0.0"
},
"rules": {
- "aad-security-defaults-disabled.json": [
+ "entra-security-defaults-enabled.json": [
{
"enabled": true,
"level": "medium",
@@ -18,7 +18,7 @@
]
}
],
- "aad-iam-privileged-users-disabled-mfa.json": [
+ "entra-iam-privileged-users-disabled-mfa.json": [
{
"args": [
"aad-privileged-roles.json"
@@ -34,7 +34,7 @@
]
}
],
- "aad-iam-users-disabled-mfa.json": [
+ "entra-iam-users-disabled-mfa.json": [
{
"enabled": true,
"level": "high",
@@ -47,20 +47,33 @@
]
}
],
- "aad-ensure-mfa-for-high-privileged-users-missing-cap.json": [
+ "entra-users-remember-mfa-on-devices-disabled.json": [
{
"enabled": true,
- "level": "medium",
+ "level": "low",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.2.4"
+ "reference": "2.1.4"
+ }
+ ]
+ }
+ ],
+ "entra-trusted-location-enabled..json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "2.2.1"
}
]
}
],
- "aad-ensure-mfa-for-users-missing-cap.json": [
+ "entra-exclusionary-geograhic-cap-exists.json": [
{
"enabled": true,
"level": "medium",
@@ -68,12 +81,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.2.5"
+ "reference": "2.2.2"
}
]
}
],
- "aad-ensure-mfa-for-risky-signs-missing-cap.json": [
+ "eid-exclusionary-device-code-flow-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -81,12 +94,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.2.6"
+ "reference": "2.2.3"
}
]
}
],
- "aad-ensure-mfa-for-azure-management-missing-cap.json": [
+ "eid-ensure-mfa-for-high-privileged-users-missing-cap.json": [
{
"enabled": true,
"level": "medium",
@@ -94,12 +107,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.2.7"
+ "reference": "2.2.4"
}
]
}
],
- "non-admin-users-allowedto-create-tenants.json": [
+ "eid-ensure-mfa-for-users-missing-cap.json": [
{
"enabled": true,
"level": "medium",
@@ -107,12 +120,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.3"
+ "reference": "2.2.5"
}
]
}
],
- "azure-activedirectory-sspr-reset-methods.json": [
+ "eid-ensure-mfa-for-risky-signs-missing-cap.json": [
{
"enabled": true,
"level": "low",
@@ -120,12 +133,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.5"
+ "reference": "2.2.6"
}
]
}
],
- "aad-bad-password-list-disabled.json": [
+ "eid-ensure-mfa-for-azure-management-missing-cap.json": [
{
"enabled": true,
"level": "low",
@@ -133,12 +146,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.8"
+ "reference": "2.2.7"
}
]
}
],
- "azure-activedirectory-sspr-mfa-reconfirm-days.json": [
+ "eid-ensure-mfa-admin-portals-missing-cap.json": [
{
"enabled": true,
"level": "low",
@@ -146,12 +159,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.9"
+ "reference": "2.2.8"
}
]
}
],
- "azure-activedirectory-sspr-notify-users-disabled.json": [
+ "eid-non-admin-users-allowedto-create-tenants.json": [
{
"enabled": true,
"level": "low",
@@ -159,12 +172,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.10"
+ "reference": "2.3"
}
]
}
],
- "azure-activedirectory-sspr-notify-admin-disabled.json": [
+ "eid-ensure-guest-users-are-reviewed.json": [
{
"enabled": true,
"level": "low",
@@ -172,12 +185,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.11"
+ "reference": "2.4"
}
]
}
],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
+ "eid-sspr-reset-number-of-methods.json": [
{
"enabled": true,
"level": "medium",
@@ -185,12 +198,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.12"
+ "reference": "2.5"
}
]
}
],
- "azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
+ "eid-account-lockout-threshold-policy.json": [
{
"enabled": true,
"level": "medium",
@@ -198,12 +211,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.13"
+ "reference": "2.6"
}
]
}
],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
+ "eid-account-lockout-seconds-policy.json": [
{
"enabled": true,
"level": "info",
@@ -211,12 +224,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.14"
+ "reference": "2.7"
}
]
}
],
- "azure-ad-guest-object-restriction-disabled.json": [
+ "eid-custom-banned-password-list-disabled.json": [
{
"enabled": true,
"level": "low",
@@ -224,12 +237,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.15"
+ "reference": "2.8"
}
]
}
],
- "azure-ad-guest-invite-restriction-disabled.json": [
+ "eid-sspr-number-of-days-mfa-reconfirm-days.json": [
{
"enabled": true,
"level": "low",
@@ -237,12 +250,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.16"
+ "reference": "2.9"
}
]
}
],
- "azure-activedirectory-restrict-users-ad-portal.json": [
+ "eid-sspr-notify-users-on-password-reset-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -250,12 +263,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.17"
+ "reference": "2.10"
}
]
}
],
- "azure-ad-group-features-disabled.json": [
+ "eid-sspr-notify-admin-other-admins-on-password-reset-disabled.json": [
{
"enabled": true,
"level": "low",
@@ -263,25 +276,25 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.18"
+ "reference": "2.11"
}
]
}
],
- "azure-ad-users-can-create-security-groups.json": [
+ "eid-users-can-consent-apps-data-access.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.19"
+ "reference": "2.12"
}
]
}
],
- "azure-activedirectory-owners-can-manage-group-membership-enabled.json": [
+ "eid-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
{
"enabled": true,
"level": "low",
@@ -289,12 +302,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.20"
+ "reference": "2.13"
}
]
}
],
- "azure-activedirectory-users-can-create-o365-groups.json": [
+ "eid-users-can-register-apps-enabled.json": [
{
"enabled": true,
"level": "low",
@@ -302,12 +315,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.21"
+ "reference": "2.14"
}
]
}
],
- "azure-activedirectory-devices-require-mfa-settings.json": [
+ "eid-guest-object-restriction-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -315,12 +328,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.22"
+ "reference": "2.15"
}
]
}
],
- "azure-subscription-custom-role-excessive-permissions.json": [
+ "eid-guest-invite-restriction-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -328,12 +341,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.23"
+ "reference": "2.16"
}
]
}
],
- "azure-subscription-missing-custom-lock-role.json": [
+ "eid-restrict-users-entra-portal.json": [
{
"enabled": true,
"level": "medium",
@@ -341,12 +354,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.24"
+ "reference": "2.17"
}
]
}
],
- "azure-subscription-permit-no-one-disabled.json": [
+ "eid-user-ability-to access-group-features-disabled.json": [
{
"enabled": true,
"level": "low",
@@ -354,12 +367,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "2.25"
+ "reference": "2.18"
}
]
}
],
- "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
+ "eid-users-can-create-security-groups.json": [
{
"enabled": true,
"level": "medium",
@@ -367,12 +380,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.1.1"
+ "reference": "2.19"
}
]
}
],
- "cloud-app-security-missing-security-center-integration.json": [
+ "eid-owners-can-manage-group-membership-enabled.json": [
{
"enabled": true,
"level": "medium",
@@ -380,12 +393,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.1.2"
+ "reference": "2.20"
}
]
}
],
- "azure-defender-missing-vm-protection.json": [
+ "eid-users-can-create-m365-groups.json": [
{
"enabled": true,
"level": "medium",
@@ -393,12 +406,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.3.1"
+ "reference": "2.21"
}
]
}
],
- "azure-defender-missing-container-registries-protection.json": [
+ "eid-register-or-joined-devices-require-mfa-settings.json": [
{
"enabled": true,
"level": "medium",
@@ -406,12 +419,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.4.1"
+ "reference": "2.22"
}
]
}
],
- "azure-defender-missing-storageaccount-protection.json": [
+ "azure-subscription-custom-role-excessive-permissions.json": [
{
"enabled": true,
"level": "medium",
@@ -419,12 +432,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.5.1"
+ "reference": "2.23"
}
]
}
],
- "azure-defender-missing-appservice-protection.json": [
+ "azure-subscription-missing-custom-lock-role.json": [
{
"enabled": true,
"level": "medium",
@@ -432,29 +445,28 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.6.1"
+ "reference": "2.24"
}
]
}
],
- "azure-defender-missing-sql-database-protection.json": [
+ "azure-subscription-permit-no-one-disabled.json": [
{
- "args": [
- "SqlServers"
- ],
"enabled": true,
"level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.7.4"
+ "reference": "2.25"
}
]
- },
+ }
+ ],
+ "eid-iam-excessive-global-admins.json": [
{
"args": [
- "SqlServerVirtualMachines"
+ 5
],
"enabled": true,
"level": "medium",
@@ -462,40 +474,38 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.7.3"
+ "reference": "2.26"
}
]
- },
+ }
+ ],
+ "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
{
- "args": [
- "OpenSourceRelationalDatabases"
- ],
"enabled": true,
"level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.7.2"
+ "reference": "3.1.1.1"
}
]
- },
+ }
+ ],
+ "azure-defender-for-mcas-enabled.json": [
{
- "args": [
- "CosmosDbs"
- ],
"enabled": true,
"level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.7.1"
+ "reference": "3.1.1.2"
}
]
}
],
- "azure-defender-missing-keyvault-protection.json": [
+ "azure-defender-missing-server-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -503,12 +513,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.8.1"
+ "reference": "3.1.3.1"
}
]
}
],
- "azure-defender-missing-rm-protection.json": [
+ "azure-vulnerability-assessment-on-servers-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -516,12 +526,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.9.1"
+ "reference": "3.1.3.2"
}
]
}
],
- "azure-security-contact-mail-disabled.json": [
+ "azure-endpoint-protection-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -529,12 +539,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.13"
+ "reference": "3.1.3.3"
}
]
}
],
- "azure-security-contact-send-email-high-alerts-disabled.json": [
+ "azure-agentless-scanning-for-machines-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -542,12 +552,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.14"
+ "reference": "3.1.3.4"
}
]
}
],
- "azure-defender-missing-dns-protection.json": [
+ "azure-file-integrity-monitoring-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -555,12 +565,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.1.16"
+ "reference": "3.1.3.5"
}
]
}
],
- "azure-defender-missing-iot-protection.json": [
+ "azure-defender-missing-container-registries-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -568,12 +578,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.2.1"
+ "reference": "3.1.4.1"
}
]
}
],
- "azure-keyvault-keys-expiration-set.json": [
+ "azure-agentless-discovery-for-kubernetes-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -581,12 +591,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.3.1"
+ "reference": "3.1.4.2"
}
]
}
],
- "azure-keyvault-secrets-expiration-set.json": [
+ "azure-agentless-container-vulnerability-assessment-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -594,12 +604,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.3.3"
+ "reference": "3.1.4.3"
}
]
}
],
- "azure-keyvault-recoverable.json": [
+ "azure-defender-missing-storageaccount-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -607,12 +617,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "3.3.5"
+ "reference": "3.1.5.1"
}
]
}
],
- "azure-storage-accounts-https-traffic-enabled.json": [
+ "azure-defender-missing-appservice-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -620,25 +630,25 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.1"
+ "reference": "3.1.6.1"
}
]
}
],
- "azure-storage-accounts-infrastructure-encryption-disabled.json": [
+ "azure-defender-missing-cosmodb-protection.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.2"
+ "reference": "3.1.7.1"
}
]
}
],
- "azure-storage-accounts-key-rotation-reminder-disabled.json": [
+ "azure-defender-missing-osrd-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -646,12 +656,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.3"
+ "reference": "3.1.7.2"
}
]
}
],
- "azure-storage-accounts-key-rotation-disabled.json": [
+ "azure-defender-missing-managed-sql-database-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -659,12 +669,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.4"
+ "reference": "3.1.7.3"
}
]
}
],
- "azure-storage-accounts-public-access-level.json": [
+ "azure-defender-missing-sql-server-on-machines-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -672,12 +682,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.6"
+ "reference": "3.1.7.4"
}
]
}
],
- "azure-storage-accounts-access-all-networks.json": [
+ "azure-defender-missing-keyvault-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -685,12 +695,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.7"
+ "reference": "3.1.8.1"
}
]
}
],
- "azure-storage-accounts-trusted-ms-services-bypass.json": [
+ "azure-defender-missing-resource-manager-protection.json": [
{
"enabled": true,
"level": "medium",
@@ -698,12 +708,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.8"
+ "reference": "3.1.9.1"
}
]
}
],
- "azure-storage-accounts-blob-data-protection-missing.json": [
+ "azure-defender-recommendation-apply-system-updates-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -711,12 +721,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.10"
+ "reference": "3.1.10"
}
]
}
],
- "azure-storage-accounts-lack-cmk.json": [
+ "azure-cloud-security-benchmark-policies-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -724,12 +734,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.11"
+ "reference": "3.1.11"
}
]
}
],
- "azure-storage-accounts-queue-logging-disabled.json": [
+ "azure-security-contact-send-email-to-owners-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -737,90 +747,90 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.12"
+ "reference": "3.1.12"
}
]
}
],
- "azure-storage-accounts-blob-logging-disabled.json": [
+ "azure-security-contact-additional-email-not-configured.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.13"
+ "reference": "3.1.13"
}
]
}
],
- "azure-storage-accounts-table-logging-disabled.json": [
+ "azure-security-contact-send-email-high-alerts-disabled.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.14"
+ "reference": "3.1.14"
}
]
}
],
- "azure-storage-accounts-minimum-tls-disabled.json": [
+ "azure-defender-easm-disabled.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "4.15"
+ "reference": "3.1.15"
}
]
}
],
- "azure-sql-server-auditing-disabled.json": [
+ "azure-defender-missing-dns-protection.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.1.1"
+ "reference": "3.1.16"
}
]
}
],
- "azure-sql-fw-allow-all.json": [
+ "azure-defender-missing-iot-protection.json": [
{
- "args": [
- "SQL",
- "0.0.0.0",
- "255.255.255.255",
- "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
- "3.0.0",
- "5.1.2"
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.2.1"
+ }
+ ]
+ }
+ ],
+ "azure-expiration-date-for-all-keys-in-rbac-keyvault-disabled.json": [
{
- "args": [
- "SQL",
- "0.0.0.0",
- "0.0.0.0",
- "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
- "3.0.0",
- "5.1.2"
- ],
"enabled": true,
- "level": "medium"
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "3.3.1"
+ }
+ ]
}
],
- "azure-sql-server-tdp-own-key-enabled.json": [
+ "azure-expiration-date-for-all-keys-in-non-rbac-keyvault-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -828,12 +838,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.1.3"
+ "reference": "3.3.2"
}
]
}
],
- "azure-sql-server-active-directory-admin-disabled.json": [
+ "azure-expiration-date-for-all-secrets-in-rbac-keyvault-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -841,38 +851,38 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.1.4"
+ "reference": "3.3.3"
}
]
}
],
- "azure-sql-server-data-encryption-disabled.json": [
+ "azure-expiration-date-for-all-secrets-in-non-rbac-keyvault-disabled.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.1.5"
+ "reference": "3.3.4"
}
]
}
],
- "azure-sql-server-auditing-retention.json": [
+ "azure-keyvault-recoverable.json": [
{
"enabled": true,
- "level": "low",
+ "level": "medium",
"compliance": [
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.1.6"
+ "reference": "3.3.5"
}
]
}
],
- "azure-postgresql-enforcessl-disabled.json": [
+ "azure-keyvault-rbac-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -880,12 +890,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.1"
+ "reference": "3.3.6"
}
]
}
],
- "azure-postgresql-log-checkpoints-disabled.json": [
+ "azure-keyvault-private-endpoint-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -893,12 +903,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.2"
+ "reference": "3.3.7"
}
]
}
],
- "azure-postgresql-connection-throttling-disabled.json": [
+ "azure-keyvault-automatic-key-rotation-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -906,12 +916,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.3"
+ "reference": "3.3.8"
}
]
}
],
- "azure-postgresql-log-retention-days.json": [
+ "azure-storage-accounts-secure-transfer-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -919,12 +929,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.4"
+ "reference": "4.1"
}
]
}
],
- "azure-postgresql-allow-access-azure-services-enabled.json": [
+ "azure-storage-accounts-infrastructure-encryption-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -932,12 +942,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.5"
+ "reference": "4.2"
}
]
}
],
- "azure-postgresql-log-connections-disabled.json": [
+ "azure-storage-accounts-key-rotation-reminder-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -945,12 +955,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.6"
+ "reference": "4.3"
}
]
}
],
- "azure-postgresql-log-disconnections-disabled.json": [
+ "azure-storage-accounts-access-key-rotation-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -958,12 +968,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.7"
+ "reference": "4.4"
}
]
}
],
- "azure-postgresql-infrastructure-encryption-disabled.json": [
+ "azure-storage-account-shared-access-signature-tokens-expiration.json": [
{
"enabled": true,
"level": "medium",
@@ -971,12 +981,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.2.8"
+ "reference": "4.5"
}
]
}
],
- "azure-mysql-enforcessl-disabled.json": [
+ "azure-storage-accounts-public-network-access-enabled.json": [
{
"enabled": true,
"level": "medium",
@@ -984,12 +994,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.3.1"
+ "reference": "4.6"
}
]
}
],
- "azure-mysql-latest-tls-version-disabled.json": [
+ "azure-storage-account-default-network-access-rule-allow.json": [
{
"enabled": true,
"level": "medium",
@@ -997,12 +1007,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.3.2"
+ "reference": "4.7"
}
]
}
],
- "azure-mysql-audit-log-parameter-disabled.json": [
+ "azure-storage-accounts-trusted-ms-services-bypass.json": [
{
"enabled": true,
"level": "medium",
@@ -1010,12 +1020,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.3.3"
+ "reference": "4.8"
}
]
}
],
- "azure-mysql-audit-log-events-parameter-disabled.json": [
+ "azure-storage-account-private-endpoints-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -1023,12 +1033,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "5.3.4"
+ "reference": "4.9"
}
]
}
],
- "azure-diagnostic-settings-missing-categories.json": [
+ "azure-storage-accounts-soft-delete-for-containers-and-blob-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -1036,12 +1046,12 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "6.1.2"
+ "reference": "4.10"
}
]
}
],
- "azure-keyvault-logging-enabled.json": [
+ "azure-storage-accounts-lack-cmk.json": [
{
"enabled": true,
"level": "medium",
@@ -1049,131 +1059,464 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "3.0.0",
- "reference": "6.1.4"
+ "reference": "4.11"
}
]
}
],
- "azure-activity-log-disabled-alerts.json": [
+ "azure-storage-accounts-queue-storage-logging-disabled.json": [
{
- "args": [
- "Create Policy Assignment",
- "Microsoft.Authorization/policyAssignments/write",
- "True",
- "3.0.0",
- "6.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.12"
+ }
+ ]
+ }
+ ],
+ "azure-storage-account-logging-disabled-for-blob-service.json": [
{
- "args": [
- "Delete Policy Assignment",
- "Microsoft.Authorization/policyAssignments/delete",
- "True",
- "3.0.0",
- "6.2.2",
- "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.13"
+ }
+ ]
+ }
+ ],
+ "azure-storage-account-logging-disabled-for-table-service.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.14"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-minimum-tls-not-configured.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.15"
+ }
+ ]
+ }
+ ],
+ "azure-storage-account-cross-tenant-replication-not-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.16"
+ }
+ ]
+ }
+ ],
+ "azure-storage-account-blob-anonymous-access-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "4.17"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-auditing-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.1"
+ }
+ ]
+ }
+ ],
+ "azure-sql-fw-allow-all.json": [
{
"args": [
- "Create or Update Network Security Group",
- "Microsoft.Network/networkSecurityGroups/write",
- "True",
+ "SQL",
+ "0.0.0.0",
+ "255.255.255.255",
+ "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
"3.0.0",
- "6.2.3",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
+ "5.1.2"
],
"enabled": true,
"level": "medium"
},
{
"args": [
- "Delete Network Security Group",
- "Microsoft.Network/networkSecurityGroups/delete",
- "True",
+ "SQL",
+ "0.0.0.0",
+ "0.0.0.0",
+ "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
"3.0.0",
- "6.2.4",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
+ "5.1.2"
],
"enabled": true,
"level": "medium"
- },
+ }
+ ],
+ "azure-sql-server-tde-protector-lack-cmk-encryption.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.3"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-entra-id-auth-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.4"
+ }
+ ]
+ }
+ ],
+ "azure-sql-database-data-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.5"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-auditing-retention.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.6"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-public-network-access-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.1.7"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-secure-transport-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.1"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-checkpoints-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-connection-throttling-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.3"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-low-retention-days.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.4"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-allow-access-azure-services-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.5"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-connections-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.6"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-disconnections-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.7"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-infrastructure-double-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.8"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-secure-transport-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.1"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-latest-tls-version-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.2"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-audit-log-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.3"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-audit-log-connection-events-parameter-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.4"
+ }
+ ]
+ }
+ ],
+ "azure-cosmosdb-all-networks-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.1"
+ }
+ ]
+ }
+ ],
+ "azure-cosmosdb-private-endpoints-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.2"
+ }
+ ]
+ }
+ ],
+ "azure-cosmosdb-entraid-authentication-and-rbac-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "5.4.3"
+ }
+ ]
+ }
+ ],
+ "azure-diagnostic-settings-for-subscription-not-configured.json": [
{
- "args": [
- "Create or Update Security Solution",
- "Microsoft.Security/securitySolutions/write",
- "True",
- "3.0.0",
- "6.2.5",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.1"
+ }
+ ]
+ }
+ ],
+ "azure-diagnostic-settings-for-subscription-missing-categories.json": [
{
- "args": [
- "Delete Security Solution",
- "Microsoft.Security/securitySolutions/delete",
- "True",
- "3.0.0",
- "6.2.6",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.2"
+ }
+ ]
+ }
+ ],
+ "azure-activity-logs-storage-account-missing-cmk.json": [
{
- "args": [
- "Create or Update SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/write",
- "True",
- "3.0.0",
- "6.2.7",
- "Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.3"
+ }
+ ]
+ }
+ ],
+ "azure-keyvault-logging-disabled.json": [
{
- "args": [
- "Delete SQL Server Firewall Rule",
- "Microsoft.Sql/servers/firewallRules/delete",
- "True",
- "3.0.0",
- "6.2.8",
- "Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.4"
+ }
+ ]
+ }
+ ],
+ "azure-network-security-group-flow-logs-enabled.json": [
{
- "args": [
- "Create or Update Public IP Address rule",
- "Microsoft.Network/publicIPAddresses/write",
- "True",
- "3.0.0",
- "6.2.9",
- "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
- },
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.5"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-logging-disabled.json": [
{
- "args": [
- "Delete Public IP Address rule",
- "Microsoft.Network/publicIPAddresses/delete",
- "True",
- "3.0.0",
- "6.2.10",
- "Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
- ],
"enabled": true,
- "level": "medium"
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.6"
+ }
+ ]
}
],
"azure-activity-log-missing-alerts.json": [
@@ -1184,8 +1527,7 @@
"",
"3.0.0",
"6.2.1",
- "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
- "monkey365 rule"
+ "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
],
"enabled": true,
"level": "medium"
@@ -1197,8 +1539,7 @@
"",
"3.0.0",
"6.2.2",
- "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
- "monkey365 rule"
+ "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes."
],
"enabled": true,
"level": "medium"
@@ -1210,8 +1551,7 @@
"",
"3.0.0",
"6.2.3",
- "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1223,8 +1563,7 @@
"",
"3.0.0",
"6.2.4",
- "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1236,8 +1575,7 @@
"",
"3.0.0",
"6.2.5",
- "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1249,8 +1587,7 @@
"",
"3.0.0",
"6.2.6",
- "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1262,8 +1599,7 @@
"",
"3.0.0",
"6.2.7",
- "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1275,8 +1611,7 @@
"",
"3.0.0",
"6.2.8",
- "Monitoring for Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1288,8 +1623,7 @@
"",
"3.0.0",
"6.2.9",
- "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
@@ -1301,13 +1635,51 @@
"",
"3.0.0",
"6.2.10",
- "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
- "monkey365 rule"
+ "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity."
],
"enabled": true,
"level": "medium"
}
],
+ "azure-application-insights-not-configured.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.3.1"
+ }
+ ]
+ }
+ ],
+ "azure-monitor-resource-logging-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.4"
+ }
+ ]
+ }
+ ],
+ "azure-sku-basic-detected.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "6.5"
+ }
+ ]
+ }
+ ],
"azure-nsg-tcp-ports-open.json": [
{
"args": [
@@ -1442,34 +1814,6 @@
"level": "medium"
}
],
- "azure-nsg-port-open.json": [
- {
- "args": [
- "ALL",
- "*",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "3.0.0",
- "7.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- },
- {
- "args": [
- "ALL",
- "0-65535",
- "`all ports` open to all. Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
- "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
- "2.0.0",
- "7.4",
- ""
- ],
- "enabled": true,
- "level": "high"
- }
- ],
"azure-network-watcher-flow-log-retention.json": [
{
"enabled": true,
@@ -1509,6 +1853,19 @@
]
}
],
+ "azure-bastion-hosts-not-present.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.1"
+ }
+ ]
+ }
+ ],
"azure-os-managed-disk-disabled.json": [
{
"enabled": true,
@@ -1522,7 +1879,7 @@
]
}
],
- "azure-vm-os-data-sse-encryption-disabled.json": [
+ "azure-vm-os-data-cmk-encryption-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -1535,7 +1892,7 @@
]
}
],
- "azure-unattached-disk-sse-encryption-disabled.json": [
+ "azure-unattached-disk-cmk-encryption-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -1548,6 +1905,32 @@
]
}
],
+ "azure-disk-network-access-allow-public-access.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.5"
+ }
+ ]
+ }
+ ],
+ "azure-data-access-authentication-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.6"
+ }
+ ]
+ }
+ ],
"azure-vm-approved-extensions.json": [
{
"enabled": true,
@@ -1561,7 +1944,7 @@
]
}
],
- "azure-vm-antimalware-disabled.json": [
+ "azure-vm-endpoint-protection-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -1587,6 +1970,32 @@
]
}
],
+ "azure-identities-with-access-to-privileged-vm-lacking-mfa.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.10"
+ }
+ ]
+ }
+ ],
+ "azure-vm-trusted-launch-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "8.11"
+ }
+ ]
+ }
+ ],
"azure-app-services-https-only-disabled.json": [
{
"enabled": true,
@@ -1639,7 +2048,7 @@
]
}
],
- "azure-app-services-ad-managed-identity-missing.json": [
+ "azure-app-services-eid-managed-identity-missing.json": [
{
"enabled": true,
"level": "medium",
@@ -1652,6 +2061,19 @@
]
}
],
+ "azure-app-service-basic-auth-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "3.0.0",
+ "reference": "9.6"
+ }
+ ]
+ }
+ ],
"azure-app-services-latest-php-version-missing.json": [
{
"enabled": true,
@@ -1704,7 +2126,7 @@
]
}
],
- "azure-app-services-client-certificate-missing.json": [
+ "azure-app-service-lack-keyvault-secret.json": [
{
"enabled": true,
"level": "medium",
@@ -1712,7 +2134,33 @@
{
"name": "CIS Microsoft Azure Foundations",
"version": "2.0.0",
- "reference": "9.4"
+ "reference": "9.11"
+ }
+ ]
+ }
+ ],
+ "azure-app-service-remote-debugging-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "2.0.0",
+ "reference": "9.12"
+ }
+ ]
+ }
+ ],
+ "azure-subscription-missing-resource-locks.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "2.0.0",
+ "reference": "10.1"
}
]
}
diff --git a/rules/rulesets/cis_m365_1.4.json b/rules/rulesets/cis_m365_1.4.json
deleted file mode 100644
index 8bd06634..00000000
--- a/rules/rulesets/cis_m365_1.4.json
+++ /dev/null
@@ -1,467 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Microsoft 365 based on CIS benchmark. These rules perform static analysis on Microsoft 365 artifacts within Exchange Online, SharePoint Online, Microsoft Teams or OneDrive, among others, and are used as a mechanism to evaluate the configuration of these Microsoft 365 workloads. Rules are also divided into categories and subcategories according to the rule's type. These rules are designed to determine whether controls within a standard are being adhered to. This will ensures that Microsoft 365 tenant will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft 365 Foundations",
- "version" : "1.4.0"
- },
- "rules": {
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-m365-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.1"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.2"
- }
- ]
- }
- ],
- "aad-iam-excessive-global-admins.json": [
- {
- "args": [
- "4"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-iam-only-one-global-admin.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-sspr-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.4"
- }
- ]
- }
- ],
- "aad-password-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.5"
- }
- ]
- }
- ],
- "aad-password-hash-sync-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.7"
- }
- ]
- }
- ],
- "aad-sign-in-policy-all_users_disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ]
- }
- ],
- "aad-sign-in-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.8"
- }
- ]
- }
- ],
- "aad-user-risk-policy-all_users_disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.9"
- }
- ]
- }
- ],
- "aad-user-risk-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.9"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-active-assignment.json": [
- {
- "args": [
- "conditions/aad-m365-pim-privileged-roles.json"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.10"
- }
- ]
- }
- ],
- "aad-security-defaults-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.11"
- }
- ]
- }
- ],
- "aad-restrict-collaboration-specific-domains-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.13"
- }
- ]
- }
- ],
- "aad-linkedin-sync-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.14"
- }
- ]
- }
- ],
- "aad-stay_signed_policy-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.1.13"
- }
- ]
- }
- ],
- "exchange-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.2"
- }
- ]
- }
- ],
- "sharepoint-online-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.4"
- }
- ]
- }
- ],
- "aad-password-expiring-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "1.5"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.1"
- }
- ]
- }
- ],
- "exchange-calendar-sharing-external-user-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.2"
- }
- ]
- }
- ],
- "exchange-atp-safe-links-office-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "sharepoint-online-infected-files-download-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.6"
- }
- ]
- }
- ],
- "azure-activedirectory-apps-required-admin-consent.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.4.0",
- "reference": "2.7"
- }
- ]
- }
- ],
- "forms-internal-phishing-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-customer-lockout-feature-enabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "sharepoint-data-classification-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "teams-external-domain-allowed.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-dlp-policies-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-dlp-policies-Teams-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "sharepoint-external-user-sharing-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "teams-external-file-sharing-approved-storage.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-common-attachment-type-filter-enabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-outbound-spam-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-mail-transport-rules-forward-enabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-automatic-forward-enabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-transport-rules-domain-whitelisted.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-atp-default-safe-links-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-atp-safe-attachments-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-anti-phishing-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-anti-malware-admin-notification-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-mailtips-disabled.json": [
- {
- "enabled": true,
- "level": "low"
- }
- ],
- "exchange-audit-log-search-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "sharepoint-document-sharing-enable-all.json": [
- {
- "enabled": true,
- "level": "high"
- }
- ],
- "onedrive-sync-from-unmanaged-domains-enabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "sharepoint-sharing-links-missing-expiration.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ],
- "exchange-owa-external-storage-allowed.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_m365_1.5.json b/rules/rulesets/cis_m365_1.5.json
deleted file mode 100644
index 6350569a..00000000
--- a/rules/rulesets/cis_m365_1.5.json
+++ /dev/null
@@ -1,648 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Microsoft 365 based on CIS benchmark. These rules perform static analysis on Microsoft 365 artifacts within Exchange Online, SharePoint Online, Microsoft Teams or OneDrive, among others, and are used as a mechanism to evaluate the configuration of these Microsoft 365 workloads. Rules are also divided into categories and subcategories according to the rule's type. These rules are designed to determine whether controls within a standard are being adhered to. This will ensures that Microsoft 365 tenant will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft 365 Foundations",
- "version" : "1.5.0"
- },
- "rules": {
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-m365-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.1"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.2"
- }
- ]
- }
- ],
- "aad-iam-excessive-global-admins.json": [
- {
- "args": [
- "4"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-iam-only-one-global-admin.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.3"
- }
- ]
- }
- ],
- "aad-sspr-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.4"
- }
- ]
- }
- ],
- "aad-password-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.5"
- }
- ]
- }
- ],
- "aad-cap-block-basic-authentication-not-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.6"
- }
- ]
- }
- ],
- "aad-password-hash-sync-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.7"
- }
- ]
- }
- ],
- "aad-sign-in-policy-all_users_disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.8"
- }
- ]
- }
- ],
- "aad-sign-in-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.8"
- }
- ]
- }
- ],
- "aad-user-risk-policy-all_users_disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.9"
- }
- ]
- }
- ],
- "aad-user-risk-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.9"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-active-assignment.json": [
- {
- "args": [
- "aad-m365-pim-privileged-roles.json"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.10"
- }
- ]
- }
- ],
- "aad-security-defaults-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.11"
- }
- ]
- }
- ],
- "aad-restrict-collaboration-specific-domains-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.13"
- }
- ]
- }
- ],
- "aad-linkedin-sync-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.14"
- }
- ]
- }
- ],
- "aad-stay_signed_policy-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.1.16"
- }
- ]
- }
- ],
- "exchange-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.2"
- }
- ]
- }
- ],
- "sharepoint-online-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.3"
- }
- ]
- }
- ],
- "aad-password-expiring-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "1.4"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.1"
- }
- ]
- }
- ],
- "exchange-calendar-sharing-external-user-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.2"
- }
- ]
- }
- ],
- "exchange-atp-safe-links-office-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.3"
- }
- ]
- }
- ],
- "sharepoint-online-infected-files-download-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.5"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-consent-apps-data-access.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.6"
- }
- ]
- }
- ],
- "azure-activedirectory-apps-required-admin-consent.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.7"
- }
- ]
- }
- ],
- "forms-internal-phishing-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "2.10"
- }
- ]
- }
- ],
- "exchange-customer-lockout-feature-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.1"
- }
- ]
- }
- ],
- "sharepoint-data-classification-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.2"
- }
- ]
- }
- ],
- "teams-external-domain-allowed.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.3"
- }
- ]
- }
- ],
- "exchange-dlp-policies-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.4"
- }
- ]
- }
- ],
- "exchange-dlp-policies-Teams-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.5"
- }
- ]
- }
- ],
- "sharepoint-external-user-sharing-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.6"
- }
- ]
- }
- ],
- "teams-external-file-sharing-approved-storage.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "3.7"
- }
- ]
- }
- ],
- "exchange-common-attachment-type-filter-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.1"
- }
- ]
- }
- ],
- "exchange-outbound-spam-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.2"
- }
- ]
- }
- ],
- "exchange-mail-transport-rules-forward-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.3"
- }
- ]
- }
- ],
- "exchange-automatic-forward-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.3"
- }
- ]
- }
- ],
- "exchange-transport-rules-domain-whitelisted.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.4"
- }
- ]
- }
- ],
- "exchange-atp-safe-attachments-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.5"
- }
- ]
- }
- ],
- "exchange-anti-phishing-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.6"
- }
- ]
- }
- ],
- "exchange-anti-malware-admin-notification-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.10"
- }
- ]
- }
- ],
- "exchange-mailtips-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "4.11"
- }
- ]
- }
- ],
- "exchange-audit-log-search-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "5.1"
- }
- ]
- }
- ],
- "sharepoint-document-sharing-enable-all.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "6.1"
- }
- ]
- }
- ],
- "onedrive-sync-from-unmanaged-domains-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "6.2"
- }
- ]
- }
- ],
- "sharepoint-sharing-links-missing-expiration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "6.3"
- }
- ]
- }
- ],
- "exchange-owa-external-storage-allowed.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "1.5.0",
- "reference": "6.4"
- }
- ]
- }
- ],
- "exchange-atp-default-safe-links-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium"
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_m365_2.0.json b/rules/rulesets/cis_m365_2.0.json
deleted file mode 100644
index 2f3e7c36..00000000
--- a/rules/rulesets/cis_m365_2.0.json
+++ /dev/null
@@ -1,564 +0,0 @@
-{
- "about": "This ruleset contains a collection of rules for Microsoft 365 based on CIS benchmark. These rules perform static analysis on Microsoft 365 artifacts within Exchange Online, SharePoint Online, Microsoft Teams or OneDrive, among others, and are used as a mechanism to evaluate the configuration of these Microsoft 365 workloads. Rules are also divided into categories and subcategories according to the rule's type. These rules are designed to determine whether controls within a standard are being adhered to. This will ensures that Microsoft 365 tenant will meet the industry standards.",
- "framework": {
- "name" : "CIS Microsoft 365 Foundations",
- "version" : "2.0.0"
- },
- "rules": {
- "aad-security-defaults-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.1"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-disabled-mfa.json": [
- {
- "args": [
- "aad-m365-privileged-roles.json"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.2"
- }
- ]
- }
- ],
- "aad-iam-users-disabled-mfa.json": [
- {
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.4"
- }
- ]
- }
- ],
- "aad-iam-excessive-global-admins.json": [
- {
- "args": [
- "4"
- ],
- "enabled": true,
- "level": "high",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.7"
- }
- ]
- }
- ],
- "aad-sspr-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.8"
- }
- ]
- }
- ],
- "aad-bad-password-list-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.9"
- }
- ]
- }
- ],
- "aad-password-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.10"
- }
- ]
- }
- ],
- "aad-cap-block-basic-authentication-not-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.11"
- }
- ]
- }
- ],
- "aad-password-hash-sync-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.12"
- }
- ]
- }
- ],
- "aad-iam-privileged-users-active-assignment.json": [
- {
- "args": [
- "aad-m365-pim-privileged-roles.json"
- ],
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.15"
- }
- ]
- }
- ],
- "aad-restrict-collaboration-specific-domains-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.17"
- }
- ]
- }
- ],
- "aad-linkedin-sync-enabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.18"
- }
- ]
- }
- ],
- "aad-stay_signed_policy-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.19"
- }
- ]
- }
- ],
- "azure-activedirectory-restrict-users-ad-portal.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.20"
- }
- ]
- }
- ],
- "aad-ensure-mfa-for-azure-management-missing-cap.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.1.21"
- }
- ]
- }
- ],
- "exchange-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.2"
- }
- ]
- }
- ],
- "sharepoint-online-modern-authentication-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.3"
- }
- ]
- }
- ],
- "aad-password-expiring-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "1.4"
- }
- ]
- }
- ],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.1"
- }
- ]
- }
- ],
- "exchange-calendar-sharing-external-user-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.3"
- }
- ]
- }
- ],
- "exchange-atp-safe-links-office-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.4"
- }
- ]
- }
- ],
- "exchange-atp-safe-links-office365-apps-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.5"
- }
- ]
- }
- ],
- "sharepoint-online-infected-files-download-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.6"
- }
- ]
- }
- ],
- "forms-internal-phishing-protection-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.10"
- }
- ]
- }
- ],
- "sway-external-sharing-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.11"
- }
- ]
- }
- ],
- "exchange-customer-lockout-feature-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.1"
- }
- ]
- }
- ],
- "teams-external-domain-allowed.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.3"
- }
- ]
- }
- ],
- "exchange-dlp-policies-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.4"
- }
- ]
- }
- ],
- "exchange-dlp-policies-Teams-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.5"
- }
- ]
- }
- ],
- "sharepoint-external-user-sharing-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.6"
- }
- ]
- }
- ],
- "teams-external-file-sharing-approved-storage.json": [
- {
- "enabled": true,
- "level": "info",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "3.7"
- }
- ]
- }
- ],
- "exchange-common-attachment-type-filter-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.1"
- }
- ]
- }
- ],
- "exchange-transport-rules-domain-whitelisted.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.4"
- }
- ]
- }
- ],
- "exchange-atp-safe-attachments-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.5"
- }
- ]
- }
- ],
- "exchange-anti-phishing-policy-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.6"
- }
- ]
- }
- ],
- "exchange-anti-malware-admin-notification-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.10"
- }
- ]
- }
- ],
- "exchange-mailtips-disabled.json": [
- {
- "enabled": true,
- "level": "low",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "4.11"
- }
- ]
- }
- ],
- "exchange-audit-log-search-disabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "5.2"
- }
- ]
- }
- ],
- "sharepoint-document-sharing-enable-all.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "6.1"
- }
- ]
- }
- ],
- "onedrive-sync-from-unmanaged-domains-enabled.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "6.2"
- }
- ]
- }
- ],
- "sharepoint-sharing-links-missing-expiration.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "6.3"
- }
- ]
- }
- ],
- "exchange-owa-external-storage-allowed.json": [
- {
- "enabled": true,
- "level": "medium",
- "compliance": [
- {
- "name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "6.5"
- }
- ]
- }
- ]
- }
-}
\ No newline at end of file
diff --git a/rules/rulesets/cis_m365_3.0.json b/rules/rulesets/cis_m365_3.0.json
index 7572a649..17148148 100644
--- a/rules/rulesets/cis_m365_3.0.json
+++ b/rules/rulesets/cis_m365_3.0.json
@@ -5,7 +5,33 @@
"version" : "3.0.0"
},
"rules": {
- "aad-iam-excessive-global-admins.json": [
+ "entra-id-missing-cloud-only-administrative-account.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.1.1"
+ }
+ ]
+ }
+ ],
+ "eid-emergency-accounts.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.1.2"
+ }
+ ]
+ }
+ ],
+ "eid-iam-excessive-global-admins.json": [
{
"args": [
"4"
@@ -20,6 +46,45 @@
}
]
}
+ ],
+ "eid-ensure-guest-users-are-reviewed.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.1.4"
+ }
+ ]
+ }
+ ],
+ "eid-public-group-detected.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.2.1"
+ }
+ ]
+ }
+ ],
+ "exo-sign-in-shared-mailbox-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.2.2"
+ }
+ ]
+ }
],
"aad-password-expiring-enabled.json": [
{
@@ -33,6 +98,19 @@
}
]
}
+ ],
+ "entra-idle-session-exists.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.3.2"
+ }
+ ]
+ }
],
"exchange-calendar-sharing-external-user-enabled.json": [
{
@@ -46,6 +124,19 @@
}
]
}
+ ],
+ "m365-user-owned-apps-and-services-allowed.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.3.4"
+ }
+ ]
+ }
],
"forms-internal-phishing-protection-disabled.json": [
{
@@ -72,6 +163,19 @@
}
]
}
+ ],
+ "third-party-storage-allowed-microsoft365.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "1.3.7"
+ }
+ ]
+ }
],
"sway-external-sharing-enabled.json": [
{
@@ -80,8 +184,8 @@
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
- "version": "2.0.0",
- "reference": "2.11"
+ "version": "3.0.0",
+ "reference": "1.3.8"
}
]
}
@@ -137,6 +241,32 @@
}
]
}
+ ],
+ "exchange-atp-safe-attachments-for-sharepoint-onedrive-and-teams-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "2.1.5"
+ }
+ ]
+ }
+ ],
+ "exchange-spam-policies-notify-admin-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "2.1.6"
+ }
+ ]
+ }
],
"exchange-anti-phishing-policy-disabled.json": [
{
@@ -151,7 +281,7 @@
]
}
],
- "exchange-audit-log-search-disabled.json": [
+ "exchange-spf-records-are-published-for-all-exchange-domains.json": [
{
"enabled": true,
"level": "medium",
@@ -159,12 +289,12 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "3.1.1"
+ "reference": "2.1.8"
}
]
}
],
- "exchange-dlp-policies-disabled.json": [
+ "exchange-dkim-disabled-for-domain.json": [
{
"enabled": true,
"level": "medium",
@@ -172,12 +302,12 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "3.2.1"
+ "reference": "2.1.9"
}
]
}
],
- "exchange-dlp-policies-Teams-disabled.json": [
+ "exchange-missing-dmarc-records.json": [
{
"enabled": true,
"level": "medium",
@@ -185,171 +315,181 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "3.2.2"
+ "reference": "2.1.10"
}
]
}
],
- "aad-security-defaults-enabled.json": [
+ "exchange-spoofed-domains-report-is-reviewed.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.1.1"
+ "reference": "2.1.11"
}
]
}
],
- "azure-activedirectory-users-can-register-apps-enabled.json": [
+ "exchange-restricted-entities-report-is-reviewed.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.2.2"
+ "reference": "2.1.12"
}
]
}
],
- "non-admin-users-allowedto-create-tenants.json": [
+ "exchange-account-provisioning-activity-report-is-reviewed.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.2.3"
+ "reference": "2.3.1"
}
]
}
],
- "azure-activedirectory-restrict-users-ad-portal.json": [
+ "exchange-non-global-administrator-role-assignments-are-reviewed.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.2.4"
+ "reference": "2.3.2"
}
]
}
],
- "aad-stay_signed_policy-disabled.json": [
+ "exchange-priority-account-protection-not-enabled.json": [
{
"enabled": true,
- "level": "low",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.2.5"
+ "reference": "2.4.1"
}
]
}
],
- "aad-linkedin-sync-enabled.json": [
+ "exchange-priority-accounts-lacks-strict-protection.json": [
{
"enabled": true,
- "level": "low",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.2.6"
+ "reference": "2.4.2"
}
]
}
],
- "azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
+ "exchange-defender-for-cloud-apps-not-enabled.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.5.2"
+ "reference": "2.4.3"
}
]
}
],
- "aad-restrict-collaboration-specific-domains-disabled.json": [
+ "purview-audit-log-search-disabled.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.6.1"
+ "reference": "3.1.1"
}
]
}
],
- "aad-password-hash-sync-disabled.json": [
+ "purview-user-role-group-changes-report-is-reviewed.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "3.1.2"
+ }
+ ]
+ }
+ ],
+ "purview-dlp-policies-disabled.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.1.8.1"
+ "reference": "3.2.1"
}
]
}
],
- "aad-iam-privileged-users-disabled-mfa.json": [
+ "purview-dlp-policies-Teams-disabled.json": [
{
- "args": [
- "aad-m365-privileged-roles.json"
- ],
"enabled": true,
- "level": "high",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.1"
+ "reference": "3.2.2"
}
]
}
],
- "aad-iam-users-disabled-mfa.json": [
+ "purview-sharepoint-online-lack-of-information-protection-policies.json": [
{
"enabled": true,
- "level": "high",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.2"
+ "reference": "3.3.1"
}
]
}
],
- "aad-cap-block-basic-authentication-not-enabled.json": [
+ "entra-security-defaults-disabled.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.3"
+ "reference": "5.1.1.1"
}
]
}
],
- "aad-cap-block-high-risk-users-not-enabled.json": [
+ "eid-per-user-mfa-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -357,12 +497,12 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.6"
+ "reference": "5.1.2.1"
}
]
}
],
- "aad-cap-block-sign-in-risk-not-enabled.json": [
+ "eid-users-can-register-apps-enabled.json": [
{
"enabled": true,
"level": "medium",
@@ -370,12 +510,12 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.7"
+ "reference": "5.1.2.2"
}
]
}
],
- "aad-cap-block-sign-in-risk-not-enabled.json": [
+ "eid-non-admin-users-allowedto-create-tenants.json": [
{
"enabled": true,
"level": "medium",
@@ -383,12 +523,12 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.2.7"
+ "reference": "5.1.2.3"
}
]
}
],
- "microsoft-authenticator-lack-mfa-fatigue-protection.json": [
+ "azure-activedirectory-restrict-users-ad-portal.json": [
{
"enabled": true,
"level": "medium",
@@ -396,64 +536,64 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.3.1"
+ "reference": "5.1.2.4"
}
]
}
],
- "aad-bad-password-list-disabled.json": [
+ "aad-stay_signed_policy-disabled.json": [
{
"enabled": true,
- "level": "medium",
+ "level": "low",
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.3.2"
+ "reference": "5.1.2.5"
}
]
}
],
- "aad-password-protection-disabled.json": [
+ "aad-linkedin-sync-enabled.json": [
{
"enabled": true,
- "level": "medium",
+ "level": "low",
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.3.3"
+ "reference": "5.1.2.6"
}
]
}
],
- "aad-sspr-disabled.json": [
+ "eid-dynamic-group-for-guest-users-not-present.json": [
{
"enabled": true,
- "level": "medium",
+ "level": "low",
"compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "5.2.4.1"
+ "reference": "5.1.3.1"
}
]
}
],
- "exchange-transport-rules-domain-whitelisted.json": [
+ "eid-application-usage-report-is-reviewed.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "6.2.2"
+ "reference": "5.1.5.1"
}
]
}
],
- "exchange-modern-authentication-disabled.json": [
+ "azure-activedirectory-users-can-consent-apps-data-access-trusted-publishers-disabled.json": [
{
"enabled": true,
"level": "medium",
@@ -461,81 +601,617 @@
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "6.5.1"
+ "reference": "5.1.5.2"
}
]
}
],
- "exchange-mailtips-disabled.json": [
+ "eid-admin-consent-workflow-not-enabled.json": [
{
"enabled": true,
- "level": "low",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "6.5.2"
+ "reference": "5.1.5.3"
}
]
}
],
- "exchange-owa-external-storage-allowed.json": [
+ "aad-restrict-collaboration-specific-domains-disabled.json": [
{
"enabled": true,
"level": "medium",
- "compliance": [
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "6.5.3"
+ "reference": "5.1.6.1"
}
]
}
],
- "sharepoint-b2b-integration-disabled.json": [
+ "aad-password-hash-sync-disabled.json": [
{
"enabled": true,
- "level": "low",
- "compliance": [
+ "level": "medium",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "7.2.2"
+ "reference": "5.1.8.1"
}
]
}
],
- "sharepoint-online-infected-files-download-disabled.json": [
+ "aad-iam-privileged-users-disabled-mfa.json": [
{
+ "args": [
+ "aad-m365-privileged-roles.json"
+ ],
"enabled": true,
- "level": "medium",
- "compliance": [
+ "level": "high",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "7.3.1"
+ "reference": "5.2.2.1"
}
]
}
],
- "onedrive-sync-from-unmanaged-domains-enabled.json": [
+ "aad-iam-users-disabled-mfa.json": [
{
"enabled": true,
- "level": "medium",
- "compliance": [
+ "level": "high",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
- "reference": "7.3.2"
+ "reference": "5.2.2.2"
}
]
}
],
- "teams-external-file-sharing-approved-storage.json": [
+ "aad-cap-block-basic-authentication-not-enabled.json": [
{
"enabled": true,
- "level": "info",
- "compliance": [
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.3"
+ }
+ ]
+ }
+ ],
+ "eid-cap-lack-sign-in-frequency-browser-persistent-session.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.4"
+ }
+ ]
+ }
+ ],
+ "eid-ensure-phishing-resistant-mfa-for-high-privileged-users-missing-cap.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.5"
+ }
+ ]
+ }
+ ],
+ "eid-cap-user-risk-policy-require-password-change.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.6"
+ }
+ ]
+ }
+ ],
+ "eid-cap-sign-in-risk-policy-require-mfa.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.7"
+ }
+ ]
+ }
+ ],
+ "eid-ensure-mfa-for-azure-management-missing-cap.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.2.8"
+ }
+ ]
+ }
+ ],
+ "eid-microsoft-authenticator-lack-mfa-fatigue-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.3.1"
+ }
+ ]
+ }
+ ],
+ "eid-custom-banned-password-list-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.3.2"
+ }
+ ]
+ }
+ ],
+ "eid-password-protection-on-prem-not-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.3.3"
+ }
+ ]
+ }
+ ],
+ "eid-sspr-enabled-set-to-all.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.4.1"
+ }
+ ]
+ }
+ ],
+ "eid-sspr-password-reset-activity-report-is-reviewed.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.4.2"
+ }
+ ]
+ }
+ ],
+ "eid-risky-sign-ins-report-is-reviewed.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.2.6.1"
+ }
+ ]
+ }
+ ],
+ "eid-pim-is-used-to-manage-roles.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.1"
+ }
+ ]
+ }
+ ],
+ "eid-access-reviews-for-guest-users-are-configured.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.2"
+ }
+ ]
+ }
+ ],
+ "eid-high-privileged-roles-access-reviews-not-configured.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "5.3.3"
+ }
+ ]
+ }
+ ],
+ "exchange-audit-enabled-globally.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.1"
+ }
+ ]
+ }
+ ],
+ "exchange-mailbox-auditing-e3-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.2"
+ }
+ ]
+ }
+ ],
+ "exchange-mailbox-auditing-e5-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.3"
+ }
+ ]
+ }
+ ],
+ "exchange-audit-bypass-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.1.4"
+ }
+ ]
+ }
+ ],
+ "exchange-mail-forwarding-blocked-and-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.2.1"
+ }
+ ]
+ }
+ ],
+ "exchange-transport-rules-domain-whitelisted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.2.2"
+ }
+ ]
+ }
+ ],
+ "exchange-external-email-sender-configured.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.2.3"
+ }
+ ]
+ }
+ ],
+ "exchange-users-installing-outlook-add-ins-allowed.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.3.1"
+ }
+ ]
+ }
+ ],
+ "exchange-mail-forwarding-rules-are-reviewed.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.4.1"
+ }
+ ]
+ }
+ ],
+ "exchange-modern-authentication-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.5.1"
+ }
+ ]
+ }
+ ],
+ "exchange-mailtips-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.5.2"
+ }
+ ]
+ }
+ ],
+ "exchange-owa-external-storage-allowed.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "6.5.3"
+ }
+ ]
+ }
+ ],
+ "sharepoint-modern-authentication-required.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.1"
+ }
+ ]
+ }
+ ],
+ "sharepoint-b2b-integration-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.2"
+ }
+ ]
+ }
+ ],
+ "sharepoint-external-content-sharing-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.3"
+ }
+ ]
+ }
+ ],
+ "sharepoint-onedrive-external-content-sharing-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.4"
+ }
+ ]
+ }
+ ],
+ "sharepoint-guest-user-sharing-disabled.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.5"
+ }
+ ]
+ }
+ ],
+ "sharepoint-external-sharing-managed-allow-deny-domain-list.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.6"
+ }
+ ]
+ }
+ ],
+ "sharepoint-link-sharing-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.7"
+ }
+ ]
+ }
+ ],
+ "sharepoint-external-sharing-not-restricted-by-security-group.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.8"
+ }
+ ]
+ }
+ ],
+ "sharepoint-guest-access-to-site-or-onedrive-not-expire.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.9"
+ }
+ ]
+ }
+ ],
+ "sharepoint-reauthentication-with-verification-code-disabled.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.2.10"
+ }
+ ]
+ }
+ ],
+ "sharepoint-microsoft365-infected-files-disallowed-to-download-not-enabled.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.3.1"
+ }
+ ]
+ }
+ ],
+ "sharepoint-onedrive-sync-restricted-for-unmanaged-devices.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.3.2"
+ }
+ ]
+ }
+ ],
+ "sharepoint-custom-script-execution-personal-sites-disabled.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.3.3"
+ }
+ ]
+ }
+ ],
+ "sharepoint-custom-script-execution-enabled-on-site-collections.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "7.3.4"
+ }
+ ]
+ }
+ ],
+ "teams-external-file-sharing-enabled-only-for-approved-cloud-storage-services.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
{
"name": "CIS Microsoft 365 Foundations",
"version": "3.0.0",
@@ -543,6 +1219,279 @@
}
]
}
+ ],
+ "teams-disable-users-sent-emails-to-channel-email-address.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.1.2"
+ }
+ ]
+ }
+ ],
+ "teams-external-access-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.2.1"
+ }
+ ]
+ }
+ ],
+ "teams-app-permission-policies-not-configured.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.4.1"
+ }
+ ]
+ }
+ ],
+ "teams-anonymous-users-cant-join-meeting.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.1"
+ }
+ ]
+ }
+ ],
+ "teams-anonymous-users-and-dial-in-callers-not-restricted-start-meeting.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.2"
+ }
+ ]
+ }
+ ],
+ "teams-only-org-people-can-bypass-lobby.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.3"
+ }
+ ]
+ }
+ ],
+ "teams-users-dialing-in-cant-bypass-lobby.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.4"
+ }
+ ]
+ }
+ ],
+ "teams-meeting-chat-not-allow-anonymous-users.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.5"
+ }
+ ]
+ }
+ ],
+ "teams-only-organizers-and-co-organizers-can-present.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.6"
+ }
+ ]
+ }
+ ],
+ "teams-external-participants-cannot-give-or-request-control.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.7"
+ }
+ ]
+ }
+ ],
+ "teams-external-meeting-chat-is-off.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.5.8"
+ }
+ ]
+ }
+ ],
+ "teams-users-can-report-security-concerns-not-configured.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "8.6.1"
+ }
+ ]
+ }
+ ],
+ "fabric-guest-user-access-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.1"
+ }
+ ]
+ }
+ ],
+ "fabric-external-user-invitations-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.2"
+ }
+ ]
+ }
+ ],
+ "fabric-guest-access-to-content-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.3"
+ }
+ ]
+ }
+ ],
+ "fabric-publish-to-web-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.4"
+ }
+ ]
+ }
+ ],
+ "fabric-interact-with-r-and-python-not-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.5"
+ }
+ ]
+ }
+ ],
+ "fabric-allow-users-apply-sensitivity-labels-not-enabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.6"
+ }
+ ]
+ }
+ ],
+ "fabric-shareable-links-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.7"
+ }
+ ]
+ }
+ ],
+ "fabric-enabling-external-data-sharing-not-restricted.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.8"
+ }
+ ]
+ }
+ ],
+ "fabric-block-resourcekey-authentication-not-enabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "3.0.0",
+ "reference": "9.1.9"
+ }
+ ]
+ }
]
}
}
\ No newline at end of file