diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..fabd7a0c
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,10 @@
+log
+Dockerfile*
+docker-compose*
+.dockerignore
+docker
+.git
+.env
+README.md
+LICENSE
+monkey-reports
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..d2e0b5f0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,17 @@
+# logs
+azurereview.log
+/log/*.log
+
+# Data folder
+monkey-reports*
+
+site/
+*.csv
+
+config/monkey_365_dev.config
+
+profiles/
+
+rules/findings/extra/*
+rules/rulesets/monkey_azure_1.0.json
+rules/rulesets/monkey_m365_1.0.json
diff --git a/rules/conditions/aad-m365-privileged-roles.json b/rules/conditions/aad-m365-privileged-roles.json
new file mode 100644
index 00000000..05f71855
--- /dev/null
+++ b/rules/conditions/aad-m365-privileged-roles.json
@@ -0,0 +1,19 @@
+{
+ "conditions":[
+ "or",
+ ["roleTemplateId", "imatch", "62e90394-69f5-4237-9190-012177145e10"],
+ ["roleTemplateId", "imatch", "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"],
+ ["roleTemplateId", "imatch", "cf1c38e5-3621-4004-a7cb-879624dced7c"],
+ ["roleTemplateId", "imatch", "c4e39bd9-1100-46d3-8c65-fb160da0071f"],
+ ["roleTemplateId", "imatch", "e3973bdf-4987-49ae-837a-ba8e231c7286"],
+ ["roleTemplateId", "imatch", "7495fdc4-34c4-4d15-a289-98788ce399fd"],
+ ["roleTemplateId", "imatch", "b0f54661-2d74-4c50-afa3-1ec803f12efe"],
+ ["roleTemplateId", "imatch", "158c047a-c907-4556-b7ef-446551a6b5f7"],
+ ["roleTemplateId", "imatch", "17315797-102d-40b4-93e0-432062caca18"],
+ ["roleTemplateId", "imatch", "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"],
+ ["roleTemplateId", "imatch", "9f06204d-73c1-4d4c-880a-6edb90606fd8"],
+ ["roleTemplateId", "imatch", "9360feb5-f418-4baa-8175-e2a00bac4301"],
+ ["roleTemplateId", "imatch", "fdd7a751-b60b-444a-984c-02652fe8fa1c"],
+ ["roleTemplateId", "imatch", "729827e3-9c14-49f7-bb1b-9608f156bbb8"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/aad-privileged-roles.json b/rules/conditions/aad-privileged-roles.json
new file mode 100644
index 00000000..05f71855
--- /dev/null
+++ b/rules/conditions/aad-privileged-roles.json
@@ -0,0 +1,19 @@
+{
+ "conditions":[
+ "or",
+ ["roleTemplateId", "imatch", "62e90394-69f5-4237-9190-012177145e10"],
+ ["roleTemplateId", "imatch", "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"],
+ ["roleTemplateId", "imatch", "cf1c38e5-3621-4004-a7cb-879624dced7c"],
+ ["roleTemplateId", "imatch", "c4e39bd9-1100-46d3-8c65-fb160da0071f"],
+ ["roleTemplateId", "imatch", "e3973bdf-4987-49ae-837a-ba8e231c7286"],
+ ["roleTemplateId", "imatch", "7495fdc4-34c4-4d15-a289-98788ce399fd"],
+ ["roleTemplateId", "imatch", "b0f54661-2d74-4c50-afa3-1ec803f12efe"],
+ ["roleTemplateId", "imatch", "158c047a-c907-4556-b7ef-446551a6b5f7"],
+ ["roleTemplateId", "imatch", "17315797-102d-40b4-93e0-432062caca18"],
+ ["roleTemplateId", "imatch", "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"],
+ ["roleTemplateId", "imatch", "9f06204d-73c1-4d4c-880a-6edb90606fd8"],
+ ["roleTemplateId", "imatch", "9360feb5-f418-4baa-8175-e2a00bac4301"],
+ ["roleTemplateId", "imatch", "fdd7a751-b60b-444a-984c-02652fe8fa1c"],
+ ["roleTemplateId", "imatch", "729827e3-9c14-49f7-bb1b-9608f156bbb8"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/allow-tcp.json b/rules/conditions/allow-tcp.json
new file mode 100644
index 00000000..9f2e0843
--- /dev/null
+++ b/rules/conditions/allow-tcp.json
@@ -0,0 +1,7 @@
+{
+ "conditions":[
+ "or",
+ ["Protocol", "eq", "*"],
+ ["Protocol", "eq", "TCP"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/allow-udp.json b/rules/conditions/allow-udp.json
new file mode 100644
index 00000000..aa860269
--- /dev/null
+++ b/rules/conditions/allow-udp.json
@@ -0,0 +1,7 @@
+{
+ "conditions":[
+ "or",
+ ["Protocol", "eq", "*"],
+ ["Protocol", "eq", "UDP"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/app-permissions.json b/rules/conditions/app-permissions.json
new file mode 100644
index 00000000..06f02df5
--- /dev/null
+++ b/rules/conditions/app-permissions.json
@@ -0,0 +1,34 @@
+{
+ "conditions":[
+ [ "or",
+ [ "and",
+ ["Permission", "eq", "Application.ReadWrite.All"],
+ ["ConsentType", "eq", "Admin"]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ ["Permission", "eq", "Directory.ReadWrite.All"],
+ ["ConsentType", "eq", "Admin"]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ ["Permission", "eq", "Domain.ReadWrite.All"],
+ ["ConsentType", "eq", "Admin"]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ ["Permission", "eq", "Member.Read.Hidden"],
+ ["ConsentType", "eq", "Admin"]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ ["Permission", "eq", "User.ReadWrite.All"],
+ ["ConsentType", "eq", "Admin"]
+ ]
+ ]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/exposed-to-the-internet.json b/rules/conditions/exposed-to-the-internet.json
new file mode 100644
index 00000000..92e6ef94
--- /dev/null
+++ b/rules/conditions/exposed-to-the-internet.json
@@ -0,0 +1,16 @@
+{
+ "conditions":[
+ "and",
+ ["direction", "eq", "Inbound"],
+ ["Access", "eq", "Allow"],
+ [ "and",
+ [ "or",
+ [ "SourceAddressPrefix", "eq", "*" ],
+ [ "SourceAddressPrefix", "eq", "Internet" ],
+ [ "SourceAddressPrefixes", "eq", "*" ],
+ [ "SourceAddressPrefixes", "eq", "Internet" ]
+ ]
+ ]
+ ]
+
+}
\ No newline at end of file
diff --git a/rules/conditions/subscription-role-permissions.json b/rules/conditions/subscription-role-permissions.json
new file mode 100644
index 00000000..8e8dca78
--- /dev/null
+++ b/rules/conditions/subscription-role-permissions.json
@@ -0,0 +1,8 @@
+{
+ "conditions":[
+ "or",
+ ["properties.permissions.actions", "match", "Microsoft.Compute/virtualMachines/delete"],
+ ["properties.permissions.actions", "match", "Microsoft.Compute/virtualMachines/write"],
+ ["properties.permissions.actions", "match", "\\*"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/conditions/test-names.json b/rules/conditions/test-names.json
new file mode 100644
index 00000000..412a0d64
--- /dev/null
+++ b/rules/conditions/test-names.json
@@ -0,0 +1,7 @@
+{
+ "conditions":[
+ "or",
+ ["displayName", "imatch", "Demo"],
+ ["displayName", "imatch", "test"]
+ ]
+}
\ No newline at end of file
diff --git a/rules/findings/Active Directory/Devices/azure-activedirectory-devices-require-mfa-settings.json b/rules/findings/Active Directory/Devices/azure-activedirectory-devices-require-mfa-settings.json
new file mode 100644
index 00000000..575cd238
--- /dev/null
+++ b/rules/findings/Active Directory/Devices/azure-activedirectory-devices-require-mfa-settings.json
@@ -0,0 +1,40 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Joining devices to the active directory should require Multi-factor authentication",
+ "description": "Multi-factor authentication is recommended when adding devices to Azure AD. When set to \"Yes\", users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account",
+ "rationale": "Multi-factor authentication is recommended when adding devices to Azure AD. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account.",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Devices`
+ 3. Go to `Device settings`
+ 4. Ensure that `Require Multi-Factor Auth to join devices` is set to `Yes`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join",
+ "https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal",
+ "https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.19"
+ }
+ ],
+ "tags": null,
+ "path": "aad_device_settings",
+ "display_path": "aad_device_settings",
+ "conditions": [
+ "and",
+ [
+ "requireMfaSetting",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "aad_mfa_devices_disabled"
+}
diff --git a/rules/findings/Active Directory/General/aad-linkedin-sync-enabled.json b/rules/findings/Active Directory/General/aad-linkedin-sync-enabled.json
new file mode 100644
index 00000000..56de1ea8
--- /dev/null
+++ b/rules/findings/Active Directory/General/aad-linkedin-sync-enabled.json
@@ -0,0 +1,32 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that LinkedIn contact synchronization is disabled",
+ "description": "Consider to disable integration with LinkedIn as a measure to help prevent phishing scams.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.14"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_properties",
+ "display_path": "aad_directory_properties",
+ "conditions": [
+ "and",
+ [
+ "enableLinkedInAppFamily",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "aad_linkedin_sync_enabled"
+}
diff --git a/rules/findings/Active Directory/General/aad-password-protection-disabled.json b/rules/findings/Active Directory/General/aad-password-protection-disabled.json
new file mode 100644
index 00000000..d1fc6c28
--- /dev/null
+++ b/rules/findings/Active Directory/General/aad-password-protection-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that password protection is enabled for Active Directory",
+ "description": "Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.",
+ "rationale": "Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.",
+ "impact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Azure Active Directory Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.5"
+ }
+ ],
+ "tags": null,
+ "path": "aad_password_policy",
+ "display_path": "aad_password_policy",
+ "conditions": [
+ "or",
+ [
+ "enforceCustomBannedPasswords",
+ "eq",
+ "false"
+ ],
+ [
+ "enableBannedPasswordCheckOnPremises",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "aad_password_protection_disabled"
+}
diff --git a/rules/findings/Active Directory/General/aad-security-defaults-disabled.json b/rules/findings/Active Directory/General/aad-security-defaults-disabled.json
new file mode 100644
index 00000000..4416bb69
--- /dev/null
+++ b/rules/findings/Active Directory/General/aad-security-defaults-disabled.json
@@ -0,0 +1,55 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Security Defaults is enabled on Azure Active Directory",
+ "description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
+ Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.",
+ "rationale": "
+ Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
+
+ For example doing the following:
+
+ * Requiring all users and admins to register for MFA.
+ * Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
+ * Disabling authentication from legacy authentication clients, which can’t do MFA.
+ ",
+ "impact": "
+ Enabling security defaults may negatively impact the functionality of other Microsoft services, such as MS365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
+ 2. Browse to Azure Active Directory > Properties.
+ 3. Select Manage security defaults.
+ 4. Set the Enable security defaults toggle to Yes.
+ 5. Select Save.
+
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+ "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.21"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.21"
+ ],
+ "path": "aad_security_default_status",
+ "display_path": "aad_security_default_status",
+ "conditions": [
+ "and",
+ [
+ "securityDefaultsEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "aad_sbd_disabled"
+}
diff --git a/rules/findings/Active Directory/General/aad-security-defaults-enabled.json b/rules/findings/Active Directory/General/aad-security-defaults-enabled.json
new file mode 100644
index 00000000..d40d766f
--- /dev/null
+++ b/rules/findings/Active Directory/General/aad-security-defaults-enabled.json
@@ -0,0 +1,57 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Security Defaults is disabled on Azure Active Directory",
+ "description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
+ Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. The use of security defaults however will prohibit custom settings which are being set with more advanced settings.",
+ "rationale": "
+ Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
+
+ For example doing the following:
+
+ * Requiring all users and admins to register for MFA.
+ * Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
+ * Disabling authentication from legacy authentication clients, which can’t do MFA.
+ ",
+ "impact": "The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.
+ It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.
+
+ ",
+ "remediation": "
+ ###### From Azure Console
+ 1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
+ 2. Browse to Azure Active Directory > Properties.
+ 3. Select Manage security defaults.
+ 4. Set the Enable security defaults toggle to No.
+ 5. Select Save.
+
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+ "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.21"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.21"
+ ],
+ "path": "aad_security_default_status",
+ "display_path": "aad_security_default_status",
+ "conditions": [
+ "and",
+ [
+ "securityDefaultsEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_sbd_enabled"
+}
diff --git a/rules/findings/Active Directory/General/azure-activedirectory-apps-required-admin-consent.json b/rules/findings/Active Directory/General/azure-activedirectory-apps-required-admin-consent.json
new file mode 100644
index 00000000..a413080d
--- /dev/null
+++ b/rules/findings/Active Directory/General/azure-activedirectory-apps-required-admin-consent.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Require administrators to register third-party applications",
+ "description": "Consider to disable in the Azure directory from registering applications and from signing in to applications without an administrator approval. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.",
+ "rationale": "It is recommended to let administrator register custom-developed applications. This ensures that the application undergoes a security review before exposing active directory data to it.",
+ "impact": "This might create additional requests that administrators need to fulfill quite often.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Set `Users can register applications` to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added",
+ "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/",
+ "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
+ "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx",
+ "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.1.0",
+ "reference": "1.11"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_properties",
+ "display_path": "aad_directory_properties",
+ "conditions": [
+ "and",
+ [
+ "usersCanRegisterApps",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_3rd_apps_all_users_enabled"
+}
diff --git a/rules/findings/Active Directory/General/azure-activedirectory-restrict-users-ad-portal.json b/rules/findings/Active Directory/General/azure-activedirectory-restrict-users-ad-portal.json
new file mode 100644
index 00000000..9547e659
--- /dev/null
+++ b/rules/findings/Active Directory/General/azure-activedirectory-restrict-users-ad-portal.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Restrict access to the Azure AD administration portal to administrators only",
+ "description": "Consider to prevent that regular users users can access to Azure Active Directory portal. By default, any user under Azure AD can access to the Azure Active Directory portal event if they are not assigned to an administrator role.",
+ "rationale": "The Azure AD administrative portal has sensitive data. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Ensure that `Restrict access to Azure AD administration portal` is set to `Yes`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.14"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_properties",
+ "display_path": "aad_directory_properties",
+ "conditions": [
+ "and",
+ [
+ "restrictNonAdminUsers",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "aad_restrict_users_ad_portal"
+}
diff --git a/rules/findings/Active Directory/Groups/azure-activedirectory-owners-can-manage-group-membership-enabled.json b/rules/findings/Active Directory/Groups/azure-activedirectory-owners-can-manage-group-membership-enabled.json
new file mode 100644
index 00000000..d55e143b
--- /dev/null
+++ b/rules/findings/Active Directory/Groups/azure-activedirectory-owners-can-manage-group-membership-enabled.json
@@ -0,0 +1,41 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'",
+ "description": "Consider to prevent that regular users can manage security groups.",
+ "rationale": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Groups`
+ 3. Go to `General`
+ 4. Ensure that `Owners can manage group membership requests in the Access Panel` is set to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.17"
+ }
+ ],
+ "tags": null,
+ "path": "aad_group_settings",
+ "display_path": "aad_group_settings",
+ "conditions": [
+ "and",
+ [
+ "selfServiceGroupManagementEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_security_group_management_not_restricted"
+}
diff --git a/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-access-group-features.json b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-access-group-features.json
new file mode 100644
index 00000000..3257e3cb
--- /dev/null
+++ b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-access-group-features.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": " Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'",
+ "description": "Consider to limit that regular users the ability to access group features.",
+ "rationale": "Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.",
+ "impact": "Enabling this setting could create a number of request that would need to me managed by administrators",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Groups`
+ 3. Go to `General`
+ 4. Ensure that `Restrict user ability to access groups features in the Access Pane` is set to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups",
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.15"
+ }
+ ],
+ "tags": null,
+ "path": "aad_group_settings",
+ "display_path": "aad_group_settings",
+ "conditions": [
+ "and",
+ [
+ "groupsInAccessPanelEnabled",
+ "eq",
+ "true"
+ ]
+ ],
+ "id_suffix": "aad_group_feature_access_enabled"
+}
diff --git a/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-o365-groups.json b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-o365-groups.json
new file mode 100644
index 00000000..aebaed54
--- /dev/null
+++ b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-o365-groups.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Restrict Office 365 group creation to administrators only",
+ "description": "Consider to limit that regular users the ability to create Office365 groups. When this settings is enabled, all users in the Azure directory are allowed to create new Office365 groupd and add members to these groups.",
+ "rationale": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other use.",
+ "impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Groups`
+ 3. Go to `General`
+ 4. Ensure that `Users can create Microsoft 365 groups in Azure Portals` is set to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups",
+ "https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/",
+ "https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.18"
+ }
+ ],
+ "tags": null,
+ "path": "aad_group_settings",
+ "display_path": "aad_group_settings",
+ "conditions": [
+ "and",
+ [
+ "office365GroupsEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_restrict_o365_group_creation_admins"
+}
diff --git a/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-security-groups.json b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-security-groups.json
new file mode 100644
index 00000000..c8f235af
--- /dev/null
+++ b/rules/findings/Active Directory/Groups/azure-activedirectory-users-can-create-security-groups.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Restrict security group creation to administrators only",
+ "description": "Consider to prevent that regular users can create security groups. When this settings is enabled, all users in the Azure directory are allowed to create new security groups and add members to these groups.",
+ "rationale": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.",
+ "impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Groups`
+ 3. Go to `General`
+ 4. Ensure that `Users can create security groups in Azure Portal` is set to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-self-service-management",
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.16"
+ }
+ ],
+ "tags": null,
+ "path": "aad_group_settings",
+ "display_path": "aad_group_settings",
+ "conditions": [
+ "and",
+ [
+ "securityGroupsEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_restrict_security_group_creation_admins"
+}
diff --git a/rules/findings/Active Directory/Guest/aad-guest-can-invite.json b/rules/findings/Active Directory/Guest/aad-guest-can-invite.json
new file mode 100644
index 00000000..6792a95c
--- /dev/null
+++ b/rules/findings/Active Directory/Guest/aad-guest-can-invite.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Restrict guest invitations",
+ "description": "Consider to isolate the Azure Active Directory B2B collaboration feature and investigate who can invite guests. By default, all users and guests in an Azure directory can invite guests even if they\u0027re not assigned to an administrator role.",
+ "rationale": 'Restricting invitations to users with specific administrator roles ensures that only authorised accounts have access to cloud resources. This helps to maintain `Need to Know` permissions and prevents inadvertent access to data.
+ By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organisation to invite guests and non-admins to the tenant, posing a security risk.
+ ',
+ "impact": "
+ With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the Azure Workspace, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users, and manually removing access from users who no longer need it.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `External Identities`
+ 3. Go to `External collaboration` settings
+ 4. Under `Guest invite settings`, for `Guest invite restrictions`, ensure that that `Only users assigned to specific admin roles can invite guest users` is selected
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews",
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical�systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strateg"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.13"
+ }
+ ],
+ "tags": null,
+ "path": "aad_auth_policy",
+ "display_path": "aad_auth_policy",
+ "conditions": [
+ "and",
+ [
+ "TenantAuthPolicy.allowInvitesFrom",
+ "ne",
+ "adminsAndGuestInviters"
+ ]
+ ],
+ "id_suffix": "aad_guests_can_invite"
+}
diff --git a/rules/findings/Active Directory/Guest/aad-guest-users-present.json b/rules/findings/Active Directory/Guest/aad-guest-users-present.json
new file mode 100644
index 00000000..60ad313b
--- /dev/null
+++ b/rules/findings/Active Directory/Guest/aad-guest-users-present.json
@@ -0,0 +1,58 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Do not add guest users if not needed",
+ "description": "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.
+
+ Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.
+ ",
+ "rationale": "
+ Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants, Guest users should be reviewed on a regular basis, at least annually, Guest users should not be granted administrative roles where possible.
+
+ Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely leading to a potential vulnerability.
+
+ Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed.
+ ",
+ "impact": "Consider to remove guest users if not needed. By default, all users and guests in an Azure directory can enumerate users, groups, or other directory resources even if they\u0027re not assigned to an administrator role.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users and groups`
+ 3. Go to `All Users`
+ 4. Click on `Show` drop down and select `Guest users only`
+ 5. Delete all "Guest" users that are no longer required or are inactive.
+
+ It is good practice to use a dynamic group to manage guest users. To create the dynamic group:
+
+ 1. Navigate to the `Active Directory` blade in the Azure Portal
+ 2. Select the `Groups` item
+ 3. Create new
+ 4. Type of `dynamic`
+ 5. Use the following dynamic selection rule. "(user.userType -eq "Guest")"
+ 6. Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties",
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-3-review-and-reconcile-user-access-regularly"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.3.1",
+ "reference": "1.3"
+ }
+ ],
+ "tags": null,
+ "path": "aad_domain_users",
+ "display_path": "aad_domain_users",
+ "conditions": [
+ "and",
+ [
+ "usertype",
+ "eq",
+ "Guest"
+ ]
+ ],
+ "id_suffix": "aad_guest_users_present"
+}
diff --git a/rules/findings/Active Directory/IAM/aad-iam-excessive-global-admins.json b/rules/findings/Active Directory/IAM/aad-iam-excessive-global-admins.json
new file mode 100644
index 00000000..22cb83d4
--- /dev/null
+++ b/rules/findings/Active Directory/IAM/aad-iam-excessive-global-admins.json
@@ -0,0 +1,34 @@
+{
+ "dashboard_name": "Active Directory Identity",
+ "menu_name": "IAM",
+ "issue_name": "Excessive number of Global Administrators",
+ "description": "The total number of Global Administrators was higher than recommended. A tenancy should have more than two but fewer than five Global Administrators. Having an excessive number of Global Administrators has an increased risk that one of those accounts will be successfully breached by an external attacker.",
+ "rationale": "If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.",
+ "impact": "The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
+ "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
+ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.3"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_user_roles",
+ "display_path": "aad_directory_user_roles",
+ "conditions": [
+ "and",
+ [
+ "roleTemplateId",
+ "eq",
+ "62e90394-69f5-4237-9190-012177145e10"
+ ]
+ ],
+ "id_suffix": "aad_excessive_global_admins",
+ "moreThan": "4"
+}
diff --git a/rules/findings/Active Directory/IAM/aad-iam-only-one-global-admin.json b/rules/findings/Active Directory/IAM/aad-iam-only-one-global-admin.json
new file mode 100644
index 00000000..b4728076
--- /dev/null
+++ b/rules/findings/Active Directory/IAM/aad-iam-only-one-global-admin.json
@@ -0,0 +1,34 @@
+{
+ "dashboard_name": "Active Directory Identity",
+ "menu_name": "IAM",
+ "issue_name": "Low number of Global Administrators",
+ "description": "The total number of Global Administrators was lower than recommended. A tenancy should have more than two but fewer than five Global Administrators. Best practices recommend having at least 2 global admins in the organisation in case of account lockout or account breach.",
+ "rationale": "If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.",
+ "impact": "The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure",
+ "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access",
+ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.3"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_user_roles",
+ "display_path": "aad_directory_user_roles",
+ "conditions": [
+ "and",
+ [
+ "roleTemplateId",
+ "eq",
+ "62e90394-69f5-4237-9190-012177145e10"
+ ]
+ ],
+ "id_suffix": "aad_only_one_global_admin",
+ "lessThan": "2"
+}
diff --git a/rules/findings/Active Directory/IAM/aad-iam-privileged-users-disabled-mfa.json b/rules/findings/Active Directory/IAM/aad-iam-privileged-users-disabled-mfa.json
new file mode 100644
index 00000000..8ab90d3d
--- /dev/null
+++ b/rules/findings/Active Directory/IAM/aad-iam-privileged-users-disabled-mfa.json
@@ -0,0 +1,51 @@
+{
+ "dashboard_name": "Active Directory Identity",
+ "menu_name": "IAM",
+ "issue_name": "Ensure that multi-factor authentication is enabled for all privileged users",
+ "description": "Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like:
+
+ * Service Co-Administrators
+ * Subscription Owners
+ * Contributors
+ ",
+ "rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
+ "impact": "Users would require two forms of authentication before any action is granted. Also, this requires an overhead for managing dual forms of authentication.",
+ "remediation": "Follow Microsoft Azure documentation and setup multi-factor authentication in your environment.
+ Secure user sign-in events with Azure AD Multi-Factor Authentication
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access",
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.1"
+ }
+ ],
+ "tags": null,
+ "path": "aad_directory_user_roles",
+ "display_path": "aad_directory_user_roles",
+ "conditions": [
+ "and",
+ [
+ "_INCLUDE_(_ARG_0_)",
+ "",
+ ""
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "mfaenabled",
+ "eq",
+ "false"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "aad_privileged_users_with_mfa_disabled"
+}
diff --git a/rules/findings/Active Directory/IAM/aad-iam-users-disabled-mfa.json b/rules/findings/Active Directory/IAM/aad-iam-users-disabled-mfa.json
new file mode 100644
index 00000000..886d93db
--- /dev/null
+++ b/rules/findings/Active Directory/IAM/aad-iam-users-disabled-mfa.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "Active Directory Identity",
+ "menu_name": "IAM",
+ "issue_name": "Ensure that multi-factor authentication is enabled for all non privileged users",
+ "description": "Enable multi-factor authentication for all non-privileged users.",
+ "rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
+ "impact": "Users would require two forms of authentication before any action is granted. Also, this requires an overhead for managing dual forms of authentication.",
+ "remediation": "Follow Microsoft Azure documentation and setup multi-factor authentication in your environment.
+ Secure user sign-in events with Azure AD Multi-Factor Authentication
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access",
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.2"
+ }
+ ],
+ "tags": null,
+ "path": "aad_domain_users",
+ "display_path": "aad_domain_users",
+ "conditions": [
+ "and",
+ [
+ "mfaenabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "aad_users_with_mfa_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-password-expiring-enabled.json b/rules/findings/Active Directory/Policy/aad-password-expiring-enabled.json
new file mode 100644
index 00000000..b858edc2
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-password-expiring-enabled.json
@@ -0,0 +1,38 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that Office 365 Passwords Are Not Set to Expire",
+ "description": "Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.",
+ "rationale": "NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.",
+ "impact": "The primary impact associated with this change is ensuring that users understand the process for making or requesting a password change when required.",
+ "remediation": "
+ ###### To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center
+ 1. Expand `Settings` then select the `Org Settings` subcategory.
+ 2. Click on `Security & privacy`.
+ 3. Select `Password expiration policy`.
+ 4. If the `Set user passwords to expire after a number of days box` is checked, uncheck it.
+ 5. Click `Save`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.5"
+ }
+ ],
+ "tags": null,
+ "path": "aad_domains",
+ "display_path": "aad_domains",
+ "conditions": [
+ "and",
+ [
+ "passwordValidityPeriodInDays",
+ "ne",
+ "2147483647"
+ ]
+ ],
+ "id_suffix": "aad_password_expiring_enabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-restrict-collaboration-specific-domains-disabled.json b/rules/findings/Active Directory/Policy/aad-restrict-collaboration-specific-domains-disabled.json
new file mode 100644
index 00000000..9add98c4
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-restrict-collaboration-specific-domains-disabled.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that collaboration invitations are sent to allowed domains only",
+ "description": "Users should be able to send collaboration invitations to allowed domains only.",
+ "rationale": "By specifying allowed domains for collaborations, external users companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and give them access to resources.",
+ "impact": "This could make harder collaboration if the setting is not quickly updated when a new domain is identified as `allowed`.",
+ "remediation": "
+ ###### From Azure Portal
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Under `External users`, click on `Manage external collaboration settings`
+ 5. Under `Collaboration restrictions`, select `Allow invitations only to the specified domains (most restrictive)`, check the Target domains setting, and specify the domains allowed to collaborate.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+ "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.13"
+ }
+ ],
+ "tags": null,
+ "path": "aad_b2b_directory_policies",
+ "display_path": "aad_b2b_directory_policies",
+ "conditions": [
+ "and",
+ [
+ "targetedDomains.Count",
+ "eq",
+ "0"
+ ],
+ [
+ "isAllowlist",
+ "eq",
+ "true"
+ ]
+ ],
+ "id_suffix": "aad_restrict_collaboration_specific_domains_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-sign-in-policy-all_users_disabled.json b/rules/findings/Active Directory/Policy/aad-sign-in-policy-all_users_disabled.json
new file mode 100644
index 00000000..074e220d
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-sign-in-policy-all_users_disabled.json
@@ -0,0 +1,60 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Azure AD Identity Protection sign-in risk policy is configured for all users",
+ "description": "Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.",
+ "rationale": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
+ "impact": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
+ "remediation": "
+ ###### From Azure AD Portal
+ 1. Log in to https://aad.portal.azure.com as a Global Administrator.
+ 2. Select `Security`.
+ 3. Select `Identity Protection`.
+ 4. Select `Sign-in risk policy`.
+ 5. Set the following conditions within the policy.
+ * Under Users or workload identities choose `All users`
+ * Under `Sign-in risk` set the appropriate level.
+ * Under `Access` select `Allow access` then in the right pane select `Require multi-factor authentication`.
+ 6. Click `Done`
+ 7. In `Enforce Policy` set `On`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.8"
+ ],
+ "path": "aad_domain_policies",
+ "display_path": "aad_domain_policies",
+ "conditions": [
+ "and",
+ [
+ "displayName",
+ "eq",
+ "Sign-In Risk Policy"
+ ],
+ [
+ "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.Mode",
+ "eq",
+ "enabled"
+ ],
+ [
+ "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.RequiredUserAuthenticationMethod",
+ "eq",
+ "mfa"
+ ],
+ [
+ "policyDetail.AuthenticationPolicies.AuthenticationMethodPolicy.IncludeConditions.users"
+ ]
+
+ ],
+ "removeIfNotExists": "true",
+ "id_suffix": "aad_signIn_Policy_all_users_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-sign-in-policy-disabled.json b/rules/findings/Active Directory/Policy/aad-sign-in-policy-disabled.json
new file mode 100644
index 00000000..06767723
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-sign-in-policy-disabled.json
@@ -0,0 +1,51 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Azure AD Identity Protection sign-in risk policy is enabled",
+ "description": "Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.",
+ "rationale": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
+ "impact": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
+ "remediation": "
+ ###### From Azure AD Portal
+ 1. Log in to https://aad.portal.azure.com as a Global Administrator.
+ 2. Select `Security`.
+ 3. Select `Identity Protection`.
+ 4. Select `Sign-in risk policy`.
+ 5. Set the following conditions within the policy.
+ * Under Users or workload identities choose `All users`
+ * Under `Sign-in risk` set the appropriate level.
+ * Under `Access` select `Allow access` then in the right pane select `Require multi-factor authentication`.
+ 6. Click `Done`
+ 7. In `Enforce Policy` set `On`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.8"
+ ],
+ "path": "aad_domain_policies",
+ "display_path": "aad_domain_policies",
+ "conditions": [
+ "and",
+ [
+ "displayName",
+ "eq",
+ "Sign-In Risk Policy"
+ ]
+
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "PolicyName": "Sign-In risk policy",
+ "Status": "DoesNotExists"
+ },
+ "id_suffix": "aad_signIn_Policy_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-stay_signed_policy-disabled.json b/rules/findings/Active Directory/Policy/aad-stay_signed_policy-disabled.json
new file mode 100644
index 00000000..5394bbce
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-stay_signed_policy-disabled.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure the option to stay signed in is disabled",
+ "description": "The option for the user to `Stay signed in` or the `Keep me signed in` option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically this lasts for 90 days and does not prompt for sign-in or Multi-Factor.",
+ "rationale": "Allowing users to select this option presents risk, especially in the even that the user signs into their account on a publicly accessible computer/web browser. In this case anyone with access to the profile said users utilized would have access to their account when directing the web browser to office.com.",
+ "impact": "Once you have changed this setting users will no longer be prompted upon sign-in with the message `Stay signed in?`. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.",
+ "remediation": "
+ ###### From Azure Portal
+ 1. Go to `Azure Active Directory`
+ 2. Scroll down and select `Company branding` under `Manage` followed by the appropriate policy.
+ * If no policy exists you will need to create one.
+ 3. Scroll to the bottom of the newly opened pane and ensure Show option to `remain signed` in is set to `No`.
+ 4. Click `Save`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.16"
+ }
+ ],
+ "tags": null,
+ "path": "aad_company_branding",
+ "display_path": "aad_company_branding",
+ "conditions": [
+ "and",
+ [
+ "isConfigured",
+ "eq",
+ "true"
+ ],
+ [
+ "hideKeepMeSignedIn",
+ "eq",
+ "true"
+ ]
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "PolicyName": "Hide Keep Me Signed-In option",
+ "Status": "Disabled"
+ },
+ "id_suffix": "aad_keep_me_sign_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-user-risk-policy-all_users_disabled.json b/rules/findings/Active Directory/Policy/aad-user-risk-policy-all_users_disabled.json
new file mode 100644
index 00000000..ee6c8871
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-user-risk-policy-all_users_disabled.json
@@ -0,0 +1,60 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Azure AD Identity Protection user risk policy is configured for all users",
+ "description": "Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.",
+ "rationale": "With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.",
+ "impact": "When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.",
+ "remediation": "
+ ###### From Azure AD Portal
+ 1. Log in to https://aad.portal.azure.com as a Global Administrator.
+ 2. Select `Security`.
+ 3. Select `Identity Protection`.
+ 4. Select `User risk policy`.
+ 5. Set the following conditions within the policy.
+ * Under Users or workload identities choose `All users`
+ * Under `User risk` set the appropriate level.
+ * Under `Access` select `Allow access` then in the right pane select `Require password change`.
+ 6. Click `Done`
+ 7. In `Enforce Policy` set `On`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.8"
+ ],
+ "path": "aad_domain_policies",
+ "display_path": "aad_domain_policies",
+ "conditions": [
+ "and",
+ [
+ "displayName",
+ "eq",
+ "User Risk and MFA Registration Policy"
+ ],
+ [
+ "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.mode",
+ "eq",
+ "enabled"
+ ],
+ [
+ "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.requiredActions",
+ "eq",
+ "mfa_pwd_change"
+ ],
+ [
+ "policyDetail.SecurityPolicy.AccountCompromiseRiskPolicies.IncludeConditions.Users"
+ ]
+
+ ],
+ "removeIfNotExists": "true",
+ "id_suffix": "aad_user_risk_policy_all_users_disabled"
+}
diff --git a/rules/findings/Active Directory/Policy/aad-user-risk-policy-disabled.json b/rules/findings/Active Directory/Policy/aad-user-risk-policy-disabled.json
new file mode 100644
index 00000000..fe7ac7da
--- /dev/null
+++ b/rules/findings/Active Directory/Policy/aad-user-risk-policy-disabled.json
@@ -0,0 +1,51 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure Azure AD Identity Protection user risk policy is enabled",
+ "description": "Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.",
+ "rationale": "With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.",
+ "impact": "When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.",
+ "remediation": "
+ ###### From Azure AD Portal
+ 1. Log in to https://aad.portal.azure.com as a Global Administrator.
+ 2. Select `Security`.
+ 3. Select `Identity Protection`.
+ 4. Select `User risk policy`.
+ 5. Set the following conditions within the policy.
+ * Under Users or workload identities choose `All users`
+ * Under `User risk` set the appropriate level.
+ * Under `Access` select `Allow access` then in the right pane select `Require password change`.
+ 6. Click `Done`
+ 7. In `Enforce Policy` set `On`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.8"
+ ],
+ "path": "aad_domain_policies",
+ "display_path": "aad_domain_policies",
+ "conditions": [
+ "and",
+ [
+ "displayName",
+ "eq",
+ "Sign-In Risk Policy"
+ ]
+
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "PolicyName": "User risk policy",
+ "Status": "DoesNotExists"
+ },
+ "id_suffix": "aad_user_risk_policy_disabled"
+}
diff --git a/rules/findings/Active Directory/SSPR/aad-sspr-disabled.json b/rules/findings/Active Directory/SSPR/aad-sspr-disabled.json
new file mode 100644
index 00000000..f26cb32c
--- /dev/null
+++ b/rules/findings/Active Directory/SSPR/aad-sspr-disabled.json
@@ -0,0 +1,33 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Enable Self-Service Password reset to allow users to reset their own passwords in Azure AD.",
+ "description": "Enabling self-service password reset allows users to reset their own passwords in Azure AD. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default.",
+ "rationale": "Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.",
+ "impact": "The impact associated with this setting is that users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. As of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.4"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.4"
+ ],
+ "path": "aad_password_reset_policy",
+ "display_path": "aad_password_reset_policy",
+ "conditions": [
+ "and",
+ [
+ "enablementType",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "aad_sspr_disabled"
+}
diff --git a/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-mfa-reconfirm-days.json b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-mfa-reconfirm-days.json
new file mode 100644
index 00000000..806b80ed
--- /dev/null
+++ b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-mfa-reconfirm-days.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": 'Ensure That "Number of days before users are asked to re-confirm their authentication information" is set to "0"',
+ "description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.",
+ "rationale": "This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user, such as a phone number or email changes, then the password reset information for that user reverts to the previously registered authentication information.",
+ "impact": "",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `Password reset`
+ 4. Go to `Registration`
+ 4. Ensure that `Number of days before users are asked to re-confirm their authentication information` is not set to `0`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.6"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.6",
+ "CIS Microsoft Azure Foundations"
+ ],
+ "path": "aad_password_reset_policy",
+ "display_path": "aad_password_reset_policy",
+ "conditions": [
+ "and",
+ [
+ "enablementType",
+ "ne",
+ "0"
+ ],
+ [
+ "registrationReconfirmIntevalInDays",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "aad_sspr_mfa_auth_reconfirm_disabled"
+}
diff --git a/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-admin-disabled.json b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-admin-disabled.json
new file mode 100644
index 00000000..7c872e99
--- /dev/null
+++ b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-admin-disabled.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": 'Ensure that "Notify all admins when other admins reset their password?" is set to "Yes"',
+ "description": "Ensure that all administrators are notified if any other administrator resets their password.",
+ "rationale": "Administrator accounts are sensitive. Any password reset activity notification, when sent to all administrators, ensures that all administrators can passively confirm if such a reset is a common pattern within their group. For example, if all administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `Password reset`
+ 4. Go to `Notification`
+ 4. Click on `Notify all admins when other admins reset their password?` to `Yes`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical�systems"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.3.1",
+ "reference": "1.1.8"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.4",
+ "CIS Microsoft Azure Foundations"
+ ],
+ "path": "aad_password_reset_policy",
+ "display_path": "aad_password_reset_policy",
+ "conditions": [
+ "and",
+ [
+ "notifyOnAdminPasswordReset",
+ "ne",
+ "true"
+ ]
+ ],
+ "id_suffix": "aad_sspr_notify_admins_disabled"
+}
diff --git a/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-users-disabled.json b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-users-disabled.json
new file mode 100644
index 00000000..f9356362
--- /dev/null
+++ b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-notify-users-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": 'Ensure that "Notify users on password resets?" is set to "Yes"',
+ "description": "Ensure that users are notified on their primary and secondary emails on password resets.",
+ "rationale": "User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `Password reset`
+ 4. Go to `Notification`
+ 4. Click on `Notify users on password resets?` to `Yes`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.3.1",
+ "reference": "1.1.7"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.1.4",
+ "CIS Microsoft Azure Foundations"
+ ],
+ "path": "aad_password_reset_policy",
+ "display_path": "aad_password_reset_policy",
+ "conditions": [
+ "and",
+ [
+ "notifyUsersOnPasswordReset",
+ "ne",
+ "true"
+ ]
+ ],
+ "id_suffix": "aad_sspr_notify_users_disabled"
+}
diff --git a/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-reset-methods.json b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-reset-methods.json
new file mode 100644
index 00000000..12262020
--- /dev/null
+++ b/rules/findings/Active Directory/SSPR/azure-activedirectory-sspr-reset-methods.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": 'Ensure That "Number of methods required to reset" is set to "2"',
+ "description": "Ensures that two alternate forms of identification are provided before allowing a password reset.",
+ "rationale": "With a Self-service Password Reset (SSPR) that uses Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.",
+ "impact": "There may be administrative overhead as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be an organization wide security policy and training to teach administrators to verify the identity of the requesting user, so that social engineering can not render this setting useless.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `Password reset`
+ 4. Go to `Authentication methods`
+ 4. Ensure that `Number of methods required to reset` is set to `2`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.5"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.5",
+ "CIS Microsoft Azure Foundations"
+ ],
+ "path": "aad_password_reset_policy",
+ "display_path": "aad_password_reset_policy",
+ "conditions": [
+ "and",
+ [
+ "enablementType",
+ "ne",
+ "0"
+ ],
+ [
+ "numberOfAuthenticationMethodsRequired",
+ "ge",
+ "2"
+ ]
+ ],
+ "id_suffix": "aad_sspr_auth_methods_not_enforced"
+}
diff --git a/rules/findings/Active Directory/Users/azure-activedirectory-users-can-add-gallery-apps.json b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-add-gallery-apps.json
new file mode 100644
index 00000000..ffb5eb40
--- /dev/null
+++ b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-add-gallery-apps.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'",
+ "description": "Consider to prevent users from registering Gallery applications.",
+ "rationale": "Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
+ "impact": "It might be an additional request that administrators need to fulfill quite often.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Click on `Manage how end users launch and view their applications`
+ 4. Set `Users can add gallery apps to their Access Panel` to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/",
+ "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
+ "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.1.0",
+ "reference": "1.10"
+ }
+ ],
+ "tags": null,
+ "path": "aad_managed_app_user_settings",
+ "display_path": "aad_managed_app_user_settings",
+ "conditions": [
+ "and",
+ [
+ "usersCanAddGalleryApps",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_require_admins_gallery_apps"
+}
diff --git a/rules/findings/Active Directory/Users/azure-activedirectory-users-can-consent-apps-data-access.json b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-consent-apps-data-access.json
new file mode 100644
index 00000000..315e5957
--- /dev/null
+++ b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-consent-apps-data-access.json
@@ -0,0 +1,47 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'",
+ "description": "Consider to prevent regular users from consenting to applications on their own behalf. Once this feature is disabled, an administrator will be required to consent to any new application a user needs to use.",
+ "rationale": "Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
+ "impact": "It might be an additional request that administrators need to fulfill quite often.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Click on `Manage how end users launch and view their applications`
+ 4. Set ` Users can consent to apps accessing company data on their behalf` to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+ "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added",
+ "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/",
+ "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
+ "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx",
+ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.1.0",
+ "reference": "1.9"
+ }
+ ],
+ "tags": null,
+ "path": "aad_managed_app_user_settings",
+ "display_path": "aad_managed_app_user_settings",
+ "conditions": [
+ "and",
+ [
+ "usersCanAllowAppsToAccessData",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_require_admin_consent_apps"
+}
diff --git a/rules/findings/Active Directory/Users/azure-activedirectory-users-can-register-apps-enabled.json b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-register-apps-enabled.json
new file mode 100644
index 00000000..03a99233
--- /dev/null
+++ b/rules/findings/Active Directory/Users/azure-activedirectory-users-can-register-apps-enabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Active Directory",
+ "menu_name": "Active Directory",
+ "issue_name": "Ensure that 'Users can register applications' is set to 'No'",
+ "description": "Consider to require that only administrators can register third-party applications.",
+ "rationale": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data to the application.",
+ "impact": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Active Directory`
+ 2. Go to `Users`
+ 3. Go to `User settings`
+ 4. Ensure that `Users can register applications` is set to `No`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications",
+ "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/",
+ "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.11"
+ }
+ ],
+ "tags": null,
+ "path": "aad_auth_policy",
+ "display_path": "aad_auth_policy",
+ "conditions": [
+ "and",
+ [
+ "TenantAuthPolicy.defaultUserRolePermissions.allowedToCreateApps",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "aad_users_can_register_apps_enabled"
+}
diff --git a/rules/findings/Azure/Activity Log/azure-activity-log-disabled-alerts.json b/rules/findings/Azure/Activity Log/azure-activity-log-disabled-alerts.json
new file mode 100644
index 00000000..b2003411
--- /dev/null
+++ b/rules/findings/Azure/Activity Log/azure-activity-log-disabled-alerts.json
@@ -0,0 +1,25 @@
+{
+ "arg_names": [ "Alert name", "Operation Name", "Enabled", "compliance_version", "rationale" ],
+ "menu_name": "Subscription",
+ "dashboard_name": "Azure Alerts",
+ "issue_name": "_ARG_0_ disabled alert",
+ "description": '_ARG_0_ alert was not enabled at subscription level. _ARG_4_',
+ "rationale": null,
+ "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect"],
+ "compliance": [
+ {"name": "CIS Microsoft Azure Foundations", "version": "1.4.0", "reference": "_ARG_3_"}
+ ],
+ "path": "az_monitor_alerts",
+ "display_path": "az_monitor_alerts",
+ "conditions": [ "and",
+ ["operationName", "eq", "_ARG_1_"],
+ ["and",
+ [ "and",
+ ["operationName", "eq", "_ARG_1_"],
+ ["enabled", "ne", "_ARG_2_"]
+ ]
+ ]
+ ],
+ "removeIfNotExists": "true",
+ "id_suffix": "azure_monitor_alert_disabled"
+}
\ No newline at end of file
diff --git a/rules/findings/Azure/Activity Log/azure-activity-log-missing-alerts.json b/rules/findings/Azure/Activity Log/azure-activity-log-missing-alerts.json
new file mode 100644
index 00000000..32237872
--- /dev/null
+++ b/rules/findings/Azure/Activity Log/azure-activity-log-missing-alerts.json
@@ -0,0 +1,41 @@
+{
+ "arg_names": [ "Alert name", "Operation Name", "additional_reference", "compliance_version", "rationale", "additional_compliance" ],
+ "dashboard_name": "Azure Alerts",
+ "menu_name": "Subscription",
+ "issue_name": "_ARG_0_ missing alert",
+ "description": "_ARG_0_ alert was missing. Consider to add and enable this alert. _ARG_4_",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect",
+ "_ARG_2_"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "_ARG_3_"
+ },
+ [
+ "_ARG_5_"
+ ]
+ ],
+ "tags": null,
+ "path": "az_monitor_alerts",
+ "display_path": "az_monitor_alerts",
+ "conditions": [
+ "and",
+ [
+ "operationName",
+ "eq",
+ "_ARG_1_"
+ ]
+ ],
+ "id_suffix": "azure_monitor_alert_missing_rule",
+ "shouldExist": "true",
+ "returnObject": {
+ "operationName": "_ARG_1_",
+ "Status": "DoesNotExists"
+ }
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-ad-managed-identity-missing.json b/rules/findings/Azure/App Services/azure-app-services-ad-managed-identity-missing.json
new file mode 100644
index 00000000..0e0e062c
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-ad-managed-identity-missing.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Register application service with Azure Active Directory",
+ "description": "Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
+ "rationale": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "identity.principalId",
+ "eq",
+ ""
+ ]
+ ],
+ "id_suffix": "app_service_missing_identity"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-auth-disabled.json b/rules/findings/Azure/App Services/azure-app-services-auth-disabled.json
new file mode 100644
index 00000000..02288e86
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-auth-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Enable Application service authentication",
+ "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "configuration.properties.siteAuthEnabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "app_service_site_auth_disabled"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-client-certificate-missing.json b/rules/findings/Azure/App Services/azure-app-services-client-certificate-missing.json
new file mode 100644
index 00000000..0b22fe4e
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-client-certificate-missing.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Consider to configure mutual authentication on Application services",
+ "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "properties.clientCertEnabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "app_service_missing_client_cert"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-ftp-deployment-enabled.json b/rules/findings/Azure/App Services/azure-app-services-ftp-deployment-enabled.json
new file mode 100644
index 00000000..75dc3c46
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-ftp-deployment-enabled.json
@@ -0,0 +1,39 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Ensure FTP deployments are Disabled",
+ "description": "By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.",
+ "rationale": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
+ "impact": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.",
+ "remediation": "
+ ###### Using From Azure Portal
+ 1. Go to the Azure Portal
+ 2. Select `App Services`
+ 3. Click on an `app`
+ 4. Select `Settings` and then `Configuration`
+ 5. Under `General Settings`, for the `Platform Settings`, the FTP state should be set to `Disabled` or `FTPS Only`
+
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.10"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "configuration.properties.ftpsState",
+ "eq",
+ "AllAllowed"
+ ]
+ ],
+ "id_suffix": "app_service_ftp_allowed"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-https-only-disabled.json b/rules/findings/Azure/App Services/azure-app-services-https-only-disabled.json
new file mode 100644
index 00000000..fc62cd01
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-https-only-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Enable HTTPS-Only on Application Service",
+ "description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "properties.httpsOnly",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "app_service_httpsonly_disabled"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-latest-http-version-disabled.json b/rules/findings/Azure/App Services/azure-app-services-latest-http-version-disabled.json
new file mode 100644
index 00000000..2b361d04
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-latest-http-version-disabled.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Ensure that HTTP Version is the latest, if used to run the web app",
+ "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
+ "rationale": "
+ Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.
+ HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.
+ ",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Login to Azure Portal
+ 2. Go to `App Services`
+ 3. Click on each App
+ 4. Under `Setting` section, click on `Configuration`
+ 5. Set `HTTP version` to `2.0` under `General settings`
+
+ NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.9"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "configuration.properties.http20Enabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "app_service_http20_disabled"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-latest-java-version-missing.json b/rules/findings/Azure/App Services/azure-app-services-latest-java-version-missing.json
new file mode 100644
index 00000000..873f419e
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-latest-java-version-missing.json
@@ -0,0 +1,42 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Ensure that \u0027Java version\u0027 is the latest, if used to run the web app",
+ "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.8"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "kind",
+ "ne",
+ "functionapp"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "configuration.properties.javaVersion",
+ "ne",
+ "1.11"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "app_service_latest_java_missing"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-latest-php-version-missing.json b/rules/findings/Azure/App Services/azure-app-services-latest-php-version-missing.json
new file mode 100644
index 00000000..07f3893f
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-latest-php-version-missing.json
@@ -0,0 +1,47 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Ensure that \u0027PHP version\u0027 is the latest, if used to run the web app",
+ "description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
+ "rationale": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.",
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "kind",
+ "ne",
+ "functionapp"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "configuration.properties.phpVersion",
+ "ne",
+ "7.4"
+ ],
+ [
+ "configuration.properties.linuxFxVersion",
+ "notlike",
+ "PHP*7.4*"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "app_service_latest_php_missing"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-latest-python-version-missing.json b/rules/findings/Azure/App Services/azure-app-services-latest-python-version-missing.json
new file mode 100644
index 00000000..2799f713
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-latest-python-version-missing.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Ensure that \u0027Python version\u0027 is the latest, if used to run the web app",
+ "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
+ "rationale": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.",
+ "impact": "If your app is written using version dependent features or libraries, they may not be available on the latest version.", "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.7"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "kind",
+ "ne",
+ "functionapp"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "configuration.properties.pythonVersion",
+ "ne",
+ "3.8"
+ ],
+ [
+ "configuration.properties.linuxFxVersion",
+ "notlike",
+ "PYTHON*3.8"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "app_service_latest_python_missing"
+}
diff --git a/rules/findings/Azure/App Services/azure-app-services-latest-tls-version-missing.json b/rules/findings/Azure/App Services/azure-app-services-latest-tls-version-missing.json
new file mode 100644
index 00000000..8c7c1044
--- /dev/null
+++ b/rules/findings/Azure/App Services/azure-app-services-latest-tls-version-missing.json
@@ -0,0 +1,30 @@
+{
+ "dashboard_name": "App Services",
+ "menu_name": "App Services",
+ "issue_name": "Update TLS version for Application service",
+ "description": "The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.",
+ "rationale": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.", "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.9"
+ }
+ ],
+ "tags": null,
+ "path": "az_app_services",
+ "display_path": "az_app_services",
+ "conditions": [
+ "and",
+ [
+ "configuration.properties.minTlsVersion",
+ "ne",
+ "1.2"
+ ]
+ ],
+ "id_suffix": "app_service_latest_tls_missing"
+}
diff --git a/rules/findings/Azure/Azure KeyVault/azure-keyvault-keys-expiration-set.json b/rules/findings/Azure/Azure KeyVault/azure-keyvault-keys-expiration-set.json
new file mode 100644
index 00000000..eb417638
--- /dev/null
+++ b/rules/findings/Azure/Azure KeyVault/azure-keyvault-keys-expiration-set.json
@@ -0,0 +1,37 @@
+{
+ "dashboard_name": "Azure KeyVault",
+ "menu_name": "Keyvaults",
+ "issue_name": "Ensure that the expiration date is set on all keys",
+ "description": "Ensure that all keys in Azure Key Vault have an expiration time set.",
+ "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.",
+ "impact": "Keys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Key vaults`
+ 2. For each Key vault, click on `Keys`.
+ 3. Under the `Settings` section, Make sure `Enabled?` is set to Yes
+ 4. Set an appropriate **expiration date** on all keys.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_key_vaults",
+ "display_path": "az_key_vaults",
+ "conditions": [
+ "and",
+ [
+ "keys.expires",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "azure_key_vault_keys_notexpire"
+}
diff --git a/rules/findings/Azure/Azure KeyVault/azure-keyvault-logging-enabled.json b/rules/findings/Azure/Azure KeyVault/azure-keyvault-logging-enabled.json
new file mode 100644
index 00000000..a1a51780
--- /dev/null
+++ b/rules/findings/Azure/Azure KeyVault/azure-keyvault-logging-enabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "Azure KeyVault",
+ "menu_name": "Keyvaults",
+ "issue_name": "Keyvault AuditEvent disabled",
+ "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, and this same storage account can be used for collecting logs for multiple key vaults",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_key_vaults",
+ "display_path": "az_key_vaults",
+ "conditions": [
+ "and",
+ [
+ "loggingEnabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "azure_key_vault_logging_disabled"
+}
diff --git a/rules/findings/Azure/Azure KeyVault/azure-keyvault-recoverable.json b/rules/findings/Azure/Azure KeyVault/azure-keyvault-recoverable.json
new file mode 100644
index 00000000..dc64298c
--- /dev/null
+++ b/rules/findings/Azure/Azure KeyVault/azure-keyvault-recoverable.json
@@ -0,0 +1,55 @@
+{
+ "dashboard_name": "Azure KeyVault",
+ "menu_name": "Keyvaults",
+ "issue_name": "Ensure the key vault is recoverable",
+ "description": '
+ The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
+ It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
+ ',
+ "rationale": '
+ There could be scenarios where users accidently run delete/purge commands on key vault or attacker/malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 key vault properties that plays role in permanent unavailability of a key vault.
+ 1. enableSoftDelete:
+ Setting this parameter to true for a key vault ensures that even if key vault is deleted, Key vault itself or its objects remain recoverable for next 90days. In this span of 90 days either key vault/objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days key vault and its objects will be purged.
+ 2. enablePurgeProtection:
+ enableSoftDelete only ensures that key vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are chances that the key vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to "true" ensures that the key vault and its objects cannot be purged.
+ Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.
+
+ ',
+ "impact": "Once purge-protection and soft-delete is enabled for a key vault, the action is irreversible.",
+ "remediation": '
+ To enable "Do Not Purge" and "Soft Delete" for a Key Vault:
+ ###### From Azure Portal
+ Azure Portal does not have provision to update the respective configurations
+ ###### Using Azure CLI 2.0
+ ```
+ az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_key_vaults",
+ "display_path": "az_key_vaults",
+ "conditions": [
+ "and",
+ [
+ "enableSoftDelete",
+ "eq",
+ "false"
+ ],
+ [
+ "enablePurgeProtection",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "azure_key_vault_recoverable_disabled"
+}
diff --git a/rules/findings/Azure/Azure KeyVault/azure-keyvault-secrets-expiration-set.json b/rules/findings/Azure/Azure KeyVault/azure-keyvault-secrets-expiration-set.json
new file mode 100644
index 00000000..20869190
--- /dev/null
+++ b/rules/findings/Azure/Azure KeyVault/azure-keyvault-secrets-expiration-set.json
@@ -0,0 +1,37 @@
+{
+ "dashboard_name": "Azure KeyVault",
+ "menu_name": "Keyvaults",
+ "issue_name": "Ensure that the expiration date is set on all Secrets",
+ "description": "Ensure that all Secrets in the Azure Key Vault have an expiration time set.",
+ "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
+ "impact": "Secrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Key vaults`
+ 2. For each Key vault, click on `Secrets`.
+ 3. Under the `Settings` section, Make sure `Enabled?` is set to Yes
+ 4. Set an appropriate **expiration date** on all keys.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_key_vaults",
+ "display_path": "az_key_vaults",
+ "conditions": [
+ "and",
+ [
+ "secrets.expires",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "azure_key_vault_secrets_notexpire"
+}
diff --git a/rules/findings/Azure/Azure LogProfile/azure-log-profile-container-public-access.json b/rules/findings/Azure/Azure LogProfile/azure-log-profile-container-public-access.json
new file mode 100644
index 00000000..383c524c
--- /dev/null
+++ b/rules/findings/Azure/Azure LogProfile/azure-log-profile-container-public-access.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Azure Log Profile",
+ "menu_name": "Azure Log",
+ "issue_name": "Ensure the storage container storing the activity logs is not publicly accessible",
+ "description": "The storage account container containing the activity log export should not be publicly accessible.",
+ "rationale": "Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.",
+ "impact": "Configuring container `Access policy` to `private` will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Activity log`
+ 2. Select `Export`
+ 3. Select `Subscription`
+ 4. In section `Storage Account`, note the name of the Storage account
+ 5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.
+ 6. In right column, Click service `Storage Accounts` to access Storage account blade
+ 7. Click on the storage account name noted in step 4. This will open blade specific to that storage account
+ 8. In Section `Blob Service` click `Containers`. It will list all the containers in next blade
+ 9. Look for a record with container named as `insight-operational-logs`. Click ... from right most column to open Context menu
+ 10. Click `Access Policy` from Context Menu and ensure `Public Access Level` is set to `Private (no anonymous access)`
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_public_blobs",
+ "display_path": "az_storage_public_blobs",
+ "conditions": [
+ "and",
+ [
+ "blobname",
+ "eq",
+ "insights-operational-logs"
+ ],
+ [
+ "publicaccess",
+ "eq",
+ "container"
+ ]
+ ],
+ "id_suffix": "azure_log_profile_public_all"
+}
diff --git a/rules/findings/Azure/Azure LogProfile/azure-log-profile-storage-account-byok-disabled.json b/rules/findings/Azure/Azure LogProfile/azure-log-profile-storage-account-byok-disabled.json
new file mode 100644
index 00000000..3a6b2c18
--- /dev/null
+++ b/rules/findings/Azure/Azure LogProfile/azure-log-profile-storage-account-byok-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Azure Log Profile",
+ "menu_name": "Azure Log",
+ "issue_name": "Ensure the storage account containing the container with activity logs is encrypted using own key",
+ "description": "The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).",
+ "rationale": "Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Activity log`
+ 2. Select `Export`
+ 3. Select `Subscription`
+ 4. In section `Storage Account`, note the name of the Storage account
+ 5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.
+ 6. In right column, Click service `Storage Accounts` to access Storage account blade
+ 7. Click on the storage account name noted in step 4. This will open blade specific to that storage account
+ 8. In Section `settings` click `Encryption`. It will show `Storage service encryption` configuration pane.
+ 9. Ensure `Use your own key` is checked and `Key URI` is set.
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_log_profile",
+ "display_path": "az_log_profile",
+ "conditions": [
+ "and",
+ [
+ "storageAccountUsingOwnKey",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "azure_log_profile_storage_byok_disabled"
+}
diff --git a/rules/findings/Azure/Azure Network Security Group/azure-nsg-port-open.json b/rules/findings/Azure/Azure Network Security Group/azure-nsg-port-open.json
new file mode 100644
index 00000000..8d298732
--- /dev/null
+++ b/rules/findings/Azure/Azure Network Security Group/azure-nsg-port-open.json
@@ -0,0 +1,41 @@
+{
+ "arg_names": [ "Network protocol name", "Port number", "rationale" ],
+ "dashboard_name": "Network Security Groups",
+ "menu_name": "Network",
+ "issue_name": "_ARG_0_ port open to all",
+ "description": "_ARG_2_",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/virtual-network/security-overview"
+ ],
+ "compliance": ["monkey365 rule"],
+ "tags": null,
+ "path": "az_nsg_rules",
+ "display_path": "az_nsg_rules",
+ "conditions": [
+ "and",
+ [
+ "_INCLUDE_(conditions/allow-tcp.json)",
+ "",
+ ""
+ ],
+ [
+ "_INCLUDE_(conditions/allow-udp.json)",
+ "",
+ ""
+ ],
+ [
+ "_INCLUDE_(conditions/exposed-to-the-internet.json)",
+ "",
+ ""
+ ],
+ [
+ "DestinationPortRange",
+ "eq",
+ "_ARG_1_"
+ ]
+ ],
+ "id_suffix": "azure_nsg_security_port_open_all"
+}
diff --git a/rules/findings/Azure/Azure Network Security Group/azure-nsg-tcp-ports-open.json b/rules/findings/Azure/Azure Network Security Group/azure-nsg-tcp-ports-open.json
new file mode 100644
index 00000000..b1a659f8
--- /dev/null
+++ b/rules/findings/Azure/Azure Network Security Group/azure-nsg-tcp-ports-open.json
@@ -0,0 +1,61 @@
+{
+ "arg_names": [ "Network protocol name", "Port number", "description", "rationale", "compliance_version", "additional_compliance" ],
+ "dashboard_name": "Network Security Groups",
+ "menu_name": "Network",
+ "issue_name": "Ensure that _ARG_0_ access is restricted from the internet",
+ "description": "_ARG_2_",
+ "rationale": "_ARG_3_",
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/virtual-network/security-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.3.1",
+ "reference": "_ARG_4_"
+ },
+ [
+ "_ARG_5_"
+ ]
+ ],
+ "tags": null,
+ "path": "az_nsg_rules",
+ "display_path": "az_nsg_rules",
+ "conditions": [
+ "and",
+ [
+ "_INCLUDE_(conditions/allow-tcp.json)",
+ "",
+ ""
+ ],
+ [
+ "_INCLUDE_(conditions/exposed-to-the-internet.json)",
+ "",
+ ""
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "DestinationPortRange",
+ "like",
+ "*_ARG_1_*"
+ ],
+ [
+ "DestinationPortRanges",
+ "like",
+ "*_ARG_1_*"
+ ]
+ ]
+ ],
+ [
+ "Priority",
+ "notlike",
+ "65*"
+ ]
+ ],
+ "id_suffix": "azure_nsg_security_port_open_all"
+}
diff --git a/rules/findings/Azure/Azure Network Security Group/azure-nsg-udp-ports-open.json b/rules/findings/Azure/Azure Network Security Group/azure-nsg-udp-ports-open.json
new file mode 100644
index 00000000..be8a332e
--- /dev/null
+++ b/rules/findings/Azure/Azure Network Security Group/azure-nsg-udp-ports-open.json
@@ -0,0 +1,61 @@
+{
+ "arg_names": [ "Network protocol name", "Port number", "description", "rationale", "compliance_version", "additional_compliance" ],
+ "dashboard_name": "Network Security Groups",
+ "menu_name": "Network",
+ "issue_name": "Ensure that _ARG_0_ access is restricted from the internet",
+ "description": "_ARG_2_",
+ "rationale": "_ARG_3_",
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/virtual-network/security-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "_ARG_4_"
+ },
+ [
+ "_ARG_5_"
+ ]
+ ],
+ "tags": null,
+ "path": "az_nsg_rules",
+ "display_path": "az_nsg_rules",
+ "conditions": [
+ "and",
+ [
+ "_INCLUDE_(conditions/allow-udp.json)",
+ "",
+ ""
+ ],
+ [
+ "_INCLUDE_(conditions/exposed-to-the-internet.json)",
+ "",
+ ""
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "DestinationPortRange",
+ "eq",
+ "_ARG_1_"
+ ],
+ [
+ "DestinationPortRanges",
+ "like",
+ "*_ARG_1_*"
+ ]
+ ]
+ ],
+ [
+ "Priority",
+ "notlike",
+ "65*"
+ ]
+ ],
+ "id_suffix": "azure_nsg_security_port_open_all"
+}
diff --git a/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-disabled.json b/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-disabled.json
new file mode 100644
index 00000000..0cd22a24
--- /dev/null
+++ b/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "Network Watcher",
+ "menu_name": "Network",
+ "issue_name": "Enable Network Watcher for Azure subscriptions in all regions",
+ "description": "Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. The security group view capability shows all security rules applied to the network interfaces, as well as the subnet the network interface is in, and the aggregate of both. An administrator can add, remove, or change rules.",
+ "rationale": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.",
+ "impact": null,
+ "remediation": "Opting-out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "6.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_network_watcher",
+ "display_path": "az_network_watcher",
+ "conditions": [
+ "and",
+ [
+ "all_locations_enabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "network_watcher_disabled"
+}
diff --git a/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-flow-log-retention.json b/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-flow-log-retention.json
new file mode 100644
index 00000000..af95dacd
--- /dev/null
+++ b/rules/findings/Azure/Azure Network Watcher/azure-network-watcher-flow-log-retention.json
@@ -0,0 +1,40 @@
+{
+ "dashboard_name": "Network Watcher",
+ "menu_name": "Network",
+ "issue_name": "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days",
+ "description": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
+ "rationale": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Network Watcher`
+ 2. Select `NSG flow logs` blade in the Logs section
+ 3. Select each Network Security Group from the list
+ 4. Ensure `Status` is set to `On`
+ 5. Ensure `Retention (days)` setting `greater than 90 days`
+ 6. Select your storage account in the `Storage account` field
+ 7. Select `Save`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "6.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_network_watcher_flow_logs",
+ "display_path": "az_network_watcher_flow_logs",
+ "conditions": [
+ "and",
+ [
+ "retentionPolicyDays",
+ "le",
+ "90"
+ ]
+ ],
+ "id_suffix": "network_watcher_flowlogs_retention_days"
+}
diff --git a/rules/findings/Azure/Databases/MySQL/azure-mysql-enforcessl-disabled.json b/rules/findings/Azure/Databases/MySQL/azure-mysql-enforcessl-disabled.json
new file mode 100644
index 00000000..64ee1d5e
--- /dev/null
+++ b/rules/findings/Azure/Databases/MySQL/azure-mysql-enforcessl-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "MySQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Enable SSL connection on MYSQL Servers",
+ "description": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.4.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_mysql_servers",
+ "display_path": "az_mysql_servers",
+ "conditions": [
+ "and",
+ [
+ "sslEnforcement",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "mysql_enforcessl_disabled"
+}
diff --git a/rules/findings/Azure/Databases/MySQL/azure-mysql-latest-tls-version-disabled.json b/rules/findings/Azure/Databases/MySQL/azure-mysql-latest-tls-version-disabled.json
new file mode 100644
index 00000000..3ab89942
--- /dev/null
+++ b/rules/findings/Azure/Databases/MySQL/azure-mysql-latest-tls-version-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "MySQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure TLS Version is set to TLSV1.2 for MySQL Database Server",
+ "description": "Ensure TLS version on MySQL flexible servers is set to the default value.",
+ "rationale": 'TLS connectivity helps to provide a new layer of security, by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle." attacks by encrypting the data stream between the server and application.',
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.4.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_mysql_servers",
+ "display_path": "az_mysql_servers",
+ "conditions": [
+ "and",
+ [
+ "properties.minimalTlsVersion",
+ "eq",
+ "TLSEnforcementDisabled"
+ ]
+ ],
+ "id_suffix": "mysql_tls_last_version_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-allow-access-azure-services-enabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-allow-access-azure-services-enabled.json
new file mode 100644
index 00000000..7d36a6b4
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-allow-access-azure-services-enabled.json
@@ -0,0 +1,53 @@
+{
+ "dashboard_name": "PostgreSQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled",
+ "description": "Disable access from Azure services to PostgreSQL Database Server.",
+ "rationale": "If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Login to Azure Portal using https://portal.azure.com
+ 2. Go to `Azure Database for PostgreSQL server`
+ 3. For each database, click on `Connection security`
+ 4. In `Firewall rules`
+ 5. Ensure `Allow access to Azure services is set to OFF`.
+ 6. Click Save to apply the changed rule
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules",
+ "https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.7"
+ }
+ ],
+ "tags": null,
+ "path": "az_psql_database_fw",
+ "display_path": "az_psql_database_fw",
+ "conditions": [
+ "and",
+ [
+ "RuleName",
+ "eq",
+ "AllowAllWindowsAzureIps"
+ ],
+ [
+ "StartIpAddress",
+ "eq",
+ "0.0.0.0"
+ ],
+ [
+ "EndIpAddress",
+ "eq",
+ "0.0.0.0"
+ ]
+ ],
+ "id_suffix": "postgresql_allow_azure_services_enabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-connection-throttling-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-connection-throttling-disabled.json
new file mode 100644
index 00000000..0593d31b
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-connection-throttling-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Enable connection_throttling on PostgreSQL Servers",
+ "description": "Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages which in turn generates query and error logs with respect to concurrent connections, that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_configuration",
+ "display_path": "az_postgresql_configuration",
+ "conditions": [
+ "and",
+ [
+ "parameterName",
+ "eq",
+ "connection_throttling"
+ ],
+ [
+ "parameterValue",
+ "eq",
+ "off"
+ ]
+ ],
+ "id_suffix": "postgresql_conn_throttling_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-enforcessl-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-enforcessl-disabled.json
new file mode 100644
index 00000000..7ed873ee
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-enforcessl-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "PostgreSQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Enable SSL connection on PostgreSQL Servers",
+ "description": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal#prerequisites"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_servers",
+ "display_path": "az_postgresql_servers",
+ "conditions": [
+ "and",
+ [
+ "sslEnforcement",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "postgresql_enforcessl_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-infrastructure-encryption-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-infrastructure-encryption-disabled.json
new file mode 100644
index 00000000..74bc54f9
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-infrastructure-encryption-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled",
+ "description": "Consider to enable encryption at rest for PostgreSQL Databases.",
+ "rationale": "If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.",
+ "impact": "The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Azure Database for PostgreSQL servers`.
+ 2. For each PostgreSQL database, go to `Additional Settings`
+ 3. Ensure that 'Infrastructure encryption enabled' is 'checked'
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/postgresql/single-server/concepts-infrastructure-double-encryption"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.8"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_servers",
+ "display_path": "az_postgresql_servers",
+ "conditions": [
+ "and",
+ [
+ "properties.infrastructureEncryption",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "postgresql_infra_encryption_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-checkpoints-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-checkpoints-disabled.json
new file mode 100644
index 00000000..8743b8b1
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-checkpoints-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Enable log_checkpoints on PostgreSQL Servers",
+ "description": "Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_configuration",
+ "display_path": "az_postgresql_configuration",
+ "conditions": [
+ "and",
+ [
+ "parameterName",
+ "eq",
+ "log_checkpoints"
+ ],
+ [
+ "parameterValue",
+ "eq",
+ "off"
+ ]
+ ],
+ "id_suffix": "postgresql_log_checkpoints_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-connections-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-connections-disabled.json
new file mode 100644
index 00000000..f3b470b0
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-connections-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Enable log_connections on PostgreSQL Servers",
+ "description": "Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_configuration",
+ "display_path": "az_postgresql_configuration",
+ "conditions": [
+ "and",
+ [
+ "parameterName",
+ "eq",
+ "log_connections"
+ ],
+ [
+ "parameterValue",
+ "eq",
+ "off"
+ ]
+ ],
+ "id_suffix": "postgresql_log_connections_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-disconnections-disabled.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-disconnections-disabled.json
new file mode 100644
index 00000000..8c06dd8b
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-disconnections-disabled.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Enable log_disconnections on PostgreSQL Servers",
+ "description": "Enabling log_disconnections helps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_configuration",
+ "display_path": "az_postgresql_configuration",
+ "conditions": [
+ "and",
+ [
+ "parameterName",
+ "eq",
+ "log_disconnections"
+ ],
+ [
+ "parameterValue",
+ "eq",
+ "off"
+ ]
+ ],
+ "id_suffix": "postgresql_log_disconnections_disabled"
+}
diff --git a/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-retention-days.json b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-retention-days.json
new file mode 100644
index 00000000..d1c56c7c
--- /dev/null
+++ b/rules/findings/Azure/Databases/PostgreSQL/azure-postgresql-log-retention-days.json
@@ -0,0 +1,36 @@
+{
+ "dashboard_name": "PostgreSQL Configuration",
+ "menu_name": "Database Configuration",
+ "issue_name": "Enable log_retention_days on PostgreSQL Servers",
+ "description": "Enabling log_disconnections helps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_postgresql_configuration",
+ "display_path": "az_postgresql_configuration",
+ "conditions": [
+ "and",
+ [
+ "parameterName",
+ "eq",
+ "log_retention_days"
+ ],
+ [
+ "parameterValue",
+ "le",
+ "3"
+ ]
+ ],
+ "id_suffix": "postgresql_log_retention_days_minimum_value"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-fw-allow-all.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-fw-allow-all.json
new file mode 100644
index 00000000..cb4333db
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-fw-allow-all.json
@@ -0,0 +1,37 @@
+{
+ "arg_names": [ "Rule name", "Start IP", "End IP", "Rationale", "compliance_version" ],
+ "dashboard_name": "Azure SQL Firewall",
+ "menu_name": "Network",
+ "issue_name": "_ARG_0_ allow ingress from _ARG_1_ to _ARG_2_",
+ "description": "_ARG_3_",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "_ARG_4_"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_database_fw",
+ "display_path": "az_sql_database_fw",
+ "conditions": [
+ "and",
+ [
+ "StartIpAddress",
+ "eq",
+ "_ARG_1_"
+ ],
+ [
+ "EndIpAddress",
+ "eq",
+ "_ARG_2_"
+ ]
+ ],
+ "id_suffix": "azure_sql_fw_rule_enabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-active-directory-admin-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-active-directory-admin-disabled.json
new file mode 100644
index 00000000..58fca637
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-active-directory-admin-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Use Azure Active Directory Authentication for authentication with SQL Database",
+ "description": "Azure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse using identities in Azure Active Directory (Azure AD). With Azure AD authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "isSQLActiveDirectoryAdministratorEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "sql_server_ad_admin_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-advanced-threat-protection-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-advanced-threat-protection-disabled.json
new file mode 100644
index 00000000..23c7eb52
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-advanced-threat-protection-disabled.json
@@ -0,0 +1,39 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'",
+ "description": "Advanced data security is a unified package for advanced SQL security capabilities. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.",
+ "rationale": "Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.",
+ "impact": "Azure Defender for SQL is a paid feature and will incur additional cost for each SQL server.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. For each server instance
+ 3. Click on `Azure Defender` for SQL
+ 4. Set Azure Defender for SQL to `On`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql",
+ "https://docs.microsoft.com/cs-cz/powershell/module/azurerm.sql/get-azurermsqlserverthreatdetectionpolicy?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-3-monitor-for-unauthorized-transfer-of-sensitive-data"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "threatDetectionPolicy",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "sql_server_tdp_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-disabled.json
new file mode 100644
index 00000000..df95ae7b
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Enable auditing on SQL Servers",
+ "description": "Auditing for Azure SQL Database tracks database events and writes them to an audit log. It could be used to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
+ "rationale": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.
+ Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
+ ",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. For each server instance
+ 3. Click on `Auditing`
+ 4. Set Auditing to `On`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers",
+ "https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "auditingPolicyState",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "sql_server_auditing_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-retention.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-retention.json
new file mode 100644
index 00000000..3480d2df
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-auditing-retention.json
@@ -0,0 +1,40 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "SQL Server Audit Retention should be configured to be greater than 90 days",
+ "description": "The SQL Server Audit feature lets administrators to create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. Audited events can be written to the event logs or to audit files.",
+ "rationale": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. For each server instance
+ 3. Click on `Auditing`
+ 4. Select `Storage Details`
+ 5. Set `Retention (days)` setting greater than `90 days`
+ 6. Select `OK`
+ 7. Select `Save`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-2017"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "auditingRetentionDays",
+ "le",
+ "90"
+ ]
+ ],
+ "id_suffix": "sql_server_audit_retention"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-data-encryption-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-data-encryption-disabled.json
new file mode 100644
index 00000000..5e788b8d
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-data-encryption-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Enable Transparent Data Encryption on every SQL server",
+ "description": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.",
+ "rationale": null,
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. For each server instance
+ 3. Click on `Transparent data encryption`
+ 4. Set encryption to `On`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest",
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_databases",
+ "display_path": "az_sql_databases",
+ "conditions": [
+ "and",
+ [
+ "databaseName",
+ "ne",
+ "master"
+ ],
+ [
+ "databaseEncryptionStatus",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "sql_server_encryption_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-tdp-own-key-enabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-tdp-own-key-enabled.json
new file mode 100644
index 00000000..29826a3c
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-tdp-own-key-enabled.json
@@ -0,0 +1,58 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure SQL server's TDE protector is encrypted with Customer-managed key",
+ "description": "
+ TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
+
+ With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
+
+ Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
+ ",
+ "rationale": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.",
+ "impact": "
+ Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.
+
+ When deploying Customer Managed Keys it is also prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore E.G. Azure Keyvault).
+
+ As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add on to their service.
+ ",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "TDEProtectorMode",
+ "eq",
+ "servicemanaged"
+ ],
+ [
+ "TDEProtectorServerkeyName",
+ "eq",
+ "servicemanaged"
+ ],
+ [
+ "TDEProtectorServerkeyType",
+ "eq",
+ "servicemanaged"
+ ],
+ [
+ "TDEProtectorUri",
+ "eq",
+ ""
+ ]
+ ],
+ "id_suffix": "sql_server_tdp_own_key_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-disabled.json
new file mode 100644
index 00000000..28cc5902
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-disabled.json
@@ -0,0 +1,50 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account",
+ "description": "Consider to enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
+ "rationale": "Enabling Azure Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.
+ The Vulnerability Assessment service scans databases for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessivepermissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.",
+ "impact": "Enabling the **Azure Defender** for SQL features will incur additional costs for each SQL server.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. Select a server instance
+ 3. Click on `Security Center`
+ 4. Select `Enable Azure Defender for SQL`
+ 5. In Section `Vulnerability Assessment Settings`, Click `Storage Account`
+ 6. Choose Storage Account (Existing or Create New). Click `Ok`
+ 7. Click `Save`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+ "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "vulnerabilityAssessmentConfig.properties.storageContainerPath",
+ "ne",
+ "null"
+ ]
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "Azure Defender": "Vulnerability Assessment",
+ "Status": "Not configured"
+ },
+ "id_suffix": "sql_server_va_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json
new file mode 100644
index 00000000..e03e5225
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server",
+ "description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.",
+ "rationale": "VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.",
+ "impact": "Enabling the **Azure Defender** for SQL features will incur additional costs for each SQL server.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. Select a server instance
+ 3. Click on `Security Center`
+ 4. Ensure that `Azure Defender for SQL` is set to `Enabled`
+ 5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.
+ 6. Check/enable "Also send email notifications to admins and subscription owners"
+ 7. Click `Save`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+ "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "vulnerabilityAssessmentConfig.properties.recurringScans.emailSubscriptionAdmins",
+ "ne",
+ "true"
+ ]
+ ],
+ "id_suffix": "sql_server_va_send_reports_admins_disabled"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-send-reports-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-send-reports-disabled.json
new file mode 100644
index 00000000..6d73d589
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-assessments-send-reports-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure that VA setting Send scan reports to is configured for a SQL server",
+ "description": "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.",
+ "rationale": "Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.",
+ "impact": "Enabling the **Azure Defender** for SQL features will incur additional costs for each SQL server.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. Select a server instance
+ 3. Click on `Security Center`
+ 4. Ensure that `Azure Defender for SQL` is set to `Enabled`
+ 5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.
+ 6. In Section `Vulnerability Assessment Settings`, Ensure Send scan reports to is not empty
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+ "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "vulnerabilityAssessmentConfig.properties.recurringScans.emails.Count",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "sql_server_va_send_reports_empty"
+}
diff --git a/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-periodic-assessments-disabled.json b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-periodic-assessments-disabled.json
new file mode 100644
index 00000000..c9801028
--- /dev/null
+++ b/rules/findings/Azure/Databases/SQL Server/azure-sql-server-vulnerability-periodic-assessments-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "SQL Server",
+ "menu_name": "Databases",
+ "issue_name": "Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server",
+ "description": "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.",
+ "rationale": "VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.",
+ "impact": "Enabling the **Azure Defender** for SQL features will incur additional costs for each SQL server.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `SQL servers`.
+ 2. Select a server instance
+ 3. Click on `Security Center`
+ 4. Ensure that `Azure Defender for SQL` is set to `Enabled`
+ 5. In Section `Vulnerability Assessment Settings`, Ensure Storage Accounts is configured.
+ 6. In Section `Vulnerability Assessment Settings`, Ensure Periodic recurring scans is set to `On`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+ "https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessment"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_sql_servers",
+ "display_path": "az_sql_servers",
+ "conditions": [
+ "and",
+ [
+ "vulnerabilityAssessmentConfig.properties.recurringScans.isEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "sql_server_va_periodic_disabled"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-appservice-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-appservice-protection.json
new file mode 100644
index 00000000..53061247
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-appservice-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for App Service",
+ "description": "Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `App Service` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "AppServices"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_appservice_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-container-registries-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-container-registries-protection.json
new file mode 100644
index 00000000..72994844
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-container-registries-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Container Registries",
+ "description": "Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Container Registries` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.7"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "ContainerRegistry"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_container_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-keyvault-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-keyvault-protection.json
new file mode 100644
index 00000000..60c6fb4f
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-keyvault-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Key Vault",
+ "description": "Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Key Vault` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.8"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "KeyVaults"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_keyvault_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-kubernetes-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-kubernetes-protection.json
new file mode 100644
index 00000000..85ff32e7
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-kubernetes-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Kubernetes",
+ "description": "Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Kubernetes allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Kubernetes` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "KubernetesService"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_kubernetes_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-sql-server-on-machines-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-sql-server-on-machines-protection.json
new file mode 100644
index 00000000..2ee58540
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-sql-server-on-machines-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for SQL servers on machines",
+ "description": "Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `SQL Servers on machines` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "SqlServerVirtualMachines"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_sql_server_vm_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-sql-server-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-sql-server-protection.json
new file mode 100644
index 00000000..0111f05f
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-sql-server-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Azure SQL database servers",
+ "description": "Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Azure SQL database servers allows for greater defense-in depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Azure SQL database servers` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "SqlServers"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_sql_server_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-storageaccount-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-storageaccount-protection.json
new file mode 100644
index 00000000..9086ec3a
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-storageaccount-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Storage",
+ "description": "Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Storage` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "StorageAccounts"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_storageaccount_protection"
+}
diff --git a/rules/findings/Azure/Defender/azure-defender-missing-vm-protection.json b/rules/findings/Azure/Defender/azure-defender-missing-vm-protection.json
new file mode 100644
index 00000000..703a2ae0
--- /dev/null
+++ b/rules/findings/Azure/Defender/azure-defender-missing-vm-protection.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Azure Defender is set to On for Servers",
+ "description": "Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.",
+ "rationale": "Enabling Azure Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "impact": "Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings blade`
+ 3. Click on the subscription name
+ 4. Select the `Azure Defender plans` blade
+ 5. On the line in the table for `Servers` Select `On` under `Plan`.
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update",
+ "https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_pricing_tier",
+ "display_path": "az_pricing_tier",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "VirtualMachines"
+ ],
+ [
+ "properties.pricingTier",
+ "eq",
+ "Free"
+ ]
+ ],
+ "id_suffix": "azure_defender_missing_vm_protection"
+}
diff --git a/rules/findings/Azure/Defender/cloud-app-security-missing-security-center-integration.json b/rules/findings/Azure/Defender/cloud-app-security-missing-security-center-integration.json
new file mode 100644
index 00000000..115aa858
--- /dev/null
+++ b/rules/findings/Azure/Defender/cloud-app-security-missing-security-center-integration.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected",
+ "description": "This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center.",
+ "rationale": "Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, subscription must have a Cloud App Security license.
+ MCAS works only with Standard Tier subscriptions.
+ ",
+ "impact": "MCAS works with Standard pricing tier Subscription.Choosing the Standard pricing tier of Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings` blade
+ 3. Click on the subscription name
+ 4. Select the `Threat Detection` blade
+ 5. Check/Enable option `Allow Microsoft Cloud App Security to access my data`
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-8-secure-user-access-to-legacy-applications"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.10"
+ }
+ ],
+ "tags": null,
+ "path": "az_security_center_config",
+ "display_path": "az_security_center_config",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "MCAS"
+ ],
+ [
+ "properties.enabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "cloud_app_security_missing_sec_center_integration"
+}
diff --git a/rules/findings/Azure/Defender/windows-defender-missing-security-center-integration.json b/rules/findings/Azure/Defender/windows-defender-missing-security-center-integration.json
new file mode 100644
index 00000000..21b6e1cb
--- /dev/null
+++ b/rules/findings/Azure/Defender/windows-defender-missing-security-center-integration.json
@@ -0,0 +1,50 @@
+{
+ "dashboard_name": "Azure Defender",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected",
+ "description": "This setting enables Windows Defender ATP (WDATP) integration with Security Center.",
+ "rationale": "WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within security center. This integration helps to spot abnormalities, detect and respond to advanced attacks on Windows server endpoints monitored by Azure Security Center. Windows Defender ATP in Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1 operating systems in a Standard service subscription.
+ WDATP works only with Standard Tier subscriptions.
+ ",
+ "impact": "WDATP works with Standard pricing tier Subscription.Choosing the Standard pricing tier of Azure Security Center incurs an additional cost per resource.",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Security policy` blade
+ 3. Click on `Edit Settings` to alter the the security policy for a subscription
+ 4. Select the `Threat Detection` blade
+ 5. Check/Enable option `Allow Windows Defender ATP to access my data`
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-in/azure/security-center/security-center-wdatp",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-2-use-centrally-managed-modern-anti-malware-software"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.9"
+ }
+ ],
+ "tags": null,
+ "path": "az_security_center_config",
+ "display_path": "az_security_center_config",
+ "conditions": [
+ "and",
+ [
+ "name",
+ "eq",
+ "WDATP"
+ ],
+ [
+ "properties.enabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "windows_defender_atp_missing_integration"
+}
diff --git a/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-disabled.json b/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-disabled.json
new file mode 100644
index 00000000..c8334679
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-disabled.json
@@ -0,0 +1,42 @@
+{
+ "dashboard_name": "Diagnostic Settings",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that a 'Diagnostics Setting' exists",
+ "description": "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.",
+ "rationale": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.",
+ "impact": "",
+ "remediation": '
+ ###### From Azure Console
+ 1. Click on the resource that has a diagnostic status of `disabled`
+ 2. Select `Add Diagnostic Settings`
+ 3. Enter a Diagnostic setting `name`
+ 4. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub)
+ 5. Click `save`
+
+ Repeat these step for all resources as needed.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile",
+ "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_diagnostic_settings",
+ "display_path": "az_diagnostic_settings",
+ "conditions": [
+ "and",
+ [
+ "diagnostic_settings",
+ "eq",
+ ""
+ ]
+ ],
+ "id_suffix": "azure_diagnostic_settings_disabled"
+}
diff --git a/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-missing-categories.json b/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-missing-categories.json
new file mode 100644
index 00000000..d1ba6a7f
--- /dev/null
+++ b/rules/findings/Azure/Diagnostic Settings/azure-diagnostic-settings-missing-categories.json
@@ -0,0 +1,101 @@
+{
+ "dashboard_name": "Diagnostic Settings",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure Diagnostic Setting captures appropriate categories",
+ "description": "The diagnostic setting should be configured to log the appropriate activities from the control/management plane.",
+ "rationale": "A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.",
+ "impact": "",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Azure Monitor`
+ 2. Click `Activity log`
+ 3. Click on `Diagnostic settings`
+ 4. Click on `Edit Settings` for the diagnostic settings entry
+ 5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile",
+ "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_diagnostic_settings_config",
+ "display_path": "properties.logs",
+ "conditions": [
+ "or",
+ [
+ "category",
+ "eq",
+ "Administrative"
+ ],
+ [
+ "enabled",
+ "eq",
+ "false"
+ ],
+ [ "or",
+ [ "and",
+ [
+ "category",
+ "eq",
+ "Security"
+ ],
+ [
+ "enabled",
+ "eq",
+ "false"
+ ]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ [
+ "category",
+ "eq",
+ "Security"
+ ],
+ [
+ "enabled",
+ "eq",
+ "false"
+ ]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ [
+ "category",
+ "eq",
+ "Alert"
+ ],
+ [
+ "enabled",
+ "eq",
+ "false"
+ ]
+ ]
+ ],
+ [ "or",
+ [ "and",
+ [
+ "category",
+ "eq",
+ "Policy"
+ ],
+ [
+ "enabled",
+ "eq",
+ "false"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "azure_diagnostic_settings_missing_categories"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-access-all-networks.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-access-all-networks.json
new file mode 100644
index 00000000..f2069a13
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-access-all-networks.json
@@ -0,0 +1,40 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Storage account access from all networks",
+ "description": "Azure Storage provides a layered security model. This model enables administrators to secure storage accounts to a specific subset of networks. An administrator can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.",
+ "rationale": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. For each storage account, Click on the `settings` menu called `Firewalls` and `virtual networks`.
+ 3. Ensure that you have selected to allow access from `selected networks`.
+ 4. Add rules to `allow traffic` from specific network.
+ 5. Click Save to apply your changes
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "AllowAccessFromAllNetworks",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "storage_accounts_all_networks"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-data-protection-missing.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-data-protection-missing.json
new file mode 100644
index 00000000..310b946b
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-data-protection-missing.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure soft delete is enabled for Azure Storage",
+ "description": "The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability.
+ It is recommended the Azure Storage be made recoverable by enabling **soft delete** configuration. This is to save and recover data when blobs or blob snapshots are deleted.
+ ",
+ "rationale": "There could be scenarios where users accidentally run delete commands on Azure Storage blobs or blob snapshot or attacker/malicious user does it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss / non-accessible data.
+ There is a property of Azure Storage blob service to make recoverable blobs.
+
+ * Soft Delete
+ Enabling this configuration for azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects remain recoverable for a particular time which set in the `Retention policies` [Retention policies can be 7 days to 365 days]
+
+ ",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. For each Storage Account, navigate to `Data Protection`
+ 3. Select set soft delete enabled and enter a number of days you want to retain soft deleted data.
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.8"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "dataProtection.properties.deleteRetentionPolicy.enabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_blob_data_protection"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-logging-disabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-logging-disabled.json
new file mode 100644
index 00000000..49b80f77
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-blob-logging-disabled.json
@@ -0,0 +1,51 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure Storage logging is enabled for Blob service for read, write, and delete requests",
+ "description": "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.",
+ "impact": "Enabling storage account blob service logging does have a cost implication.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. Select the specific `Storage Account`.
+ 3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.
+ 4. Set the Status to `On`, if set to `Off`.
+ 5. Select `Blob` properties.
+ 6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Blob service.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.10"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "or",
+ [
+ "blobLogReadEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "blobLogWriteEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "blobLogDeleteEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_blob_logging"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-https-traffic-enabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-https-traffic-enabled.json
new file mode 100644
index 00000000..f4958992
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-https-traffic-enabled.json
@@ -0,0 +1,42 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Enable the Secure transfer option",
+ "description": "Consider to enable the Secure transfer option in all storage accounts. The Secure transfer option enhances the security of storage accounts by only allowing requests to the accounts from secure connections. By default, the Secure transfer option is disabled when the storage account is created with SDK. This option is enabled by default when the storage account is created in Azure Portal.",
+ "rationale": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage does not support HTTPS for custom domain names, this option is not applied when using a custom domain name.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`
+ 2. For each storage account, go to `Configuration`
+ 3. Set `Secure transfer required` to `Enabled`
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer",
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "supportsHttpsTrafficOnly",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_https_traffic_disabled"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-key-rotation-disabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-key-rotation-disabled.json
new file mode 100644
index 00000000..018cfdbe
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-key-rotation-disabled.json
@@ -0,0 +1,35 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure that storage account access keys are periodically regenerated",
+ "description": "Regenerate storage account access keys periodically.",
+ "rationale": "When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised.",
+ "impact": "Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.",
+ "remediation": 'Follow Microsoft Azure documentation for regenerating storage account access keys.',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "iskeyrotated",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_key_rotation"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-lack-cmk.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-lack-cmk.json
new file mode 100644
index 00000000..599f444e
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-lack-cmk.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure storage for critical data are encrypted with Customer Managed Key",
+ "description": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.",
+ "rationale": "By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.",
+ "impact": "If the key expires by setting the 'activation date' and 'expiration date' of the key, the user must rotate the key manually.
+ Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.
+ ",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. For each storage account, go to `Encryption`
+ 3. Set Customer Managed Keys
+ 4. Select the Encryption key and enter the appropriate setting value
+ 5. Click `Save`
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption",
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest",
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption",
+ "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.9"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "usingOwnKey",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_cmk_encryption"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-minimum-tls-disabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-minimum-tls-disabled.json
new file mode 100644
index 00000000..713be987
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-minimum-tls-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure the Minimum TLS version is set to 1.2",
+ "description": "Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.",
+ "rationale": "TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.",
+ "impact": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`
+ 2. For each storage account, go to `Configuration`
+ 3. Under `Setting` section, Click on `Configuration`
+ 3. Ensure that the `minimum TLS version` to `1.2`
+
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer",
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.12"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "properties.minimumTlsVersion",
+ "ne",
+ "TLS1_2"
+ ]
+ ],
+ "id_suffix": "storage_accounts_minimum_tls_version_disabled"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-public-access-level.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-public-access-level.json
new file mode 100644
index 00000000..3ecfcbbe
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-public-access-level.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Disable anonymous read access to containers and blobs",
+ "description": "Read access permission was enabled for blobs",
+ "rationale": "Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.",
+ "impact": "Access using shared access signatures will have to be managed.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. For each storage account, go to `Containers` under **blob service**
+ 3. For each container, click `Access policy`
+ 4. Set `Public access level` to `Private (no anonymous access)`
+ 5. For each storage account, go to `Allow Blob public access` in Configuration
+ 6. Set `Disabled` if no anonymous access is needed on the storage account
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources",
+ "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "properties.allowBlobPublicAccess",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "storage_accounts_anonymous_access_enabled"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-queue-logging-disabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-queue-logging-disabled.json
new file mode 100644
index 00000000..8ce0a30e
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-queue-logging-disabled.json
@@ -0,0 +1,53 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure Storage logging is enabled for Queue service for read, write, and delete requests",
+ "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response message.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.
+ Storage Analytics logging is not enabled by default for storage account.
+ ",
+ "impact": "",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. Select the specific `Storage Account`.
+ 3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.
+ 4. Set the Status to `On`, if set to `Off`.
+ 5. Select `Queue` properties.
+ 6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Queue service.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "or",
+ [
+ "queueLogReadEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "queueLogWriteEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "queueLogDeleteEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_queue_logging"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-table-logging-disabled.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-table-logging-disabled.json
new file mode 100644
index 00000000..95f6be60
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-table-logging-disabled.json
@@ -0,0 +1,51 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Ensure Storage logging is enabled for Table service for read, write, and delete requests",
+ "description": "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.",
+ "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.",
+ "impact": "Enabling storage account blob service logging does have a cost implication.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. Select the specific `Storage Account`.
+ 3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.
+ 4. Set the Status to `On`, if set to `Off`.
+ 5. Select `Table` properties.
+ 6. Select `Read, Write` and `Delete` options under the Logging section to enable Storage Logging for Table service.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging",
+ "https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.11"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "or",
+ [
+ "tableLogReadEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "tableLogWriteEnabled",
+ "eq",
+ "False"
+ ],
+ [
+ "tableLogDeleteEnabled",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_missing_table_logging"
+}
diff --git a/rules/findings/Azure/Storage Accounts/azure-storage-accounts-trusted-ms-services-bypass.json b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-trusted-ms-services-bypass.json
new file mode 100644
index 00000000..610a959a
--- /dev/null
+++ b/rules/findings/Azure/Storage Accounts/azure-storage-accounts-trusted-ms-services-bypass.json
@@ -0,0 +1,40 @@
+{
+ "dashboard_name": "Storage Accounts",
+ "menu_name": "Storage",
+ "issue_name": "Allow the set of trusted Microsoft services to bypass the network rules",
+ "description": "Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling \"Trusted Microsoft Services\" through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.",
+ "rationale": "Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling `Trusted Microsoft Services` through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Go to `Storage Accounts`.
+ 2. For each storage account, Click on the settings menu called `Firewalls` and `virtual networks`.
+ 3. Ensure that you have elected to allow access from `Selected networks`.
+ 4. Enable check box for `Allow trusted Microsoft services to access this storage account`.
+ 5. Click Save to apply your changes
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.7"
+ }
+ ],
+ "tags": null,
+ "path": "az_storage_accounts",
+ "display_path": "az_storage_accounts",
+ "conditions": [
+ "and",
+ [
+ "AllowAzureServices",
+ "eq",
+ "False"
+ ]
+ ],
+ "id_suffix": "storage_accounts_trusted_ms_services_bypass"
+}
diff --git a/rules/findings/Azure/Subscription/azure-asc-monitor-adaptive-application-disabled-alert.json b/rules/findings/Azure/Subscription/azure-asc-monitor-adaptive-application-disabled-alert.json
new file mode 100644
index 00000000..71892f68
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-asc-monitor-adaptive-application-disabled-alert.json
@@ -0,0 +1,49 @@
+{
+ "arg_names": [ "Policy Name","Policy"],
+ "menu_name": "Subscription",
+ "dashboard_name": "Subscription Policies",
+ "issue_name": "Enable _ARG_1_ in Azure Security Center Default policy",
+ "description": '_ARG_1_ alert was not enabled at subscription level.',
+ "rationale": "A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides ability to monitor all of the supported recommendations and allow automated action optionally for few of the supported recommendations.",
+ "remediation": '
+ ###### From Azure Console
+ 1. Navigate to `Azure Policy`
+ 2. On Policy "Overview" blade, Click on Policy `ASC Default (Subscription:Subscription_ID)`
+ 3. On "ASC Default" blade, Click on `Edit Assignments`
+ 4. In section **parameters**, configure the impacted setting to any other available value than `Disabled` or `empty`
+ 5. Click Save
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/get",
+ "https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/create",
+ "https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.12"
+ }
+ ],
+ "path": "az_asc_builtin_policies",
+ "display_path": "az_asc_builtin_policies",
+ "conditions": [
+ "and",
+ [
+ "PolicyName",
+ "eq",
+ "_ARG_0_"
+ ],
+ [
+ "Status",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "adaptive_app_whitelist_disabled"
+}
\ No newline at end of file
diff --git a/rules/findings/Azure/Subscription/azure-security-contact-mail-disabled.json b/rules/findings/Azure/Subscription/azure-security-contact-mail-disabled.json
new file mode 100644
index 00000000..319f715d
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-security-contact-mail-disabled.json
@@ -0,0 +1,41 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Provide a security contact email address",
+ "description": "Azure Security Center best practices recommend that security contact details for the affected Azure subscription should be added. This information will be used by Microsoft to contact subscription\u0027s owner if the Microsoft Security Response Center (MSRC) discovers that the subscription data has potentially been accessed by an unlawful or unauthorized party.",
+ "rationale": "Azure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Navigate to `Security Center`
+ 2. Click on Pricing & settings
+ 3. Click on the appropriate Management Group, Subscription, or Workspace
+ 4. Click on `Email notifications`
+ 5. Enter a valid security contact email address (or multiple addresses separated by commas) in the `Additional email addresses` field
+ 6. Click Save
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.13"
+ }
+ ],
+ "tags": null,
+ "path": "az_security_contacts",
+ "display_path": "az_security_contacts",
+ "conditions": [
+ "and",
+ [
+ "email",
+ "eq"
+ ]
+ ],
+ "id_suffix": "security_contact_mail_disabled"
+}
diff --git a/rules/findings/Azure/Subscription/azure-security-contact-send-email-high-alerts-disabled.json b/rules/findings/Azure/Subscription/azure-security-contact-send-email-high-alerts-disabled.json
new file mode 100644
index 00000000..6d2b3320
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-security-contact-send-email-high-alerts-disabled.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Enable emailing security alerts to the security contact",
+ "description": "Azure Security Center best practices recommend that security contact details for the affected Azure subscription should be added. This information will be used by Microsoft to contact subscription\u0027s owner if the Microsoft Security Response Center (MSRC) discovers that the subscription data has potentially been accessed by an unlawful or unauthorized party.",
+ "rationale": "Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Navigate to `Security Center`
+ 2. Click on Pricing & settings
+ 3. Click on the appropriate Management Group, Subscription, or Workspace
+ 4. Click on `Email notifications`
+ 5. Under "Notification types", check the check box next to `Notify about alerts with the following severity (or higher):` and select `High` from the drop down menu
+ 6. Click Save
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.14"
+ }
+ ],
+ "tags": null,
+ "path": "az_security_contacts",
+ "display_path": "az_security_contacts",
+ "conditions": [
+ "or",
+ [
+ "alertNotifications",
+ "eq",
+ "Off"
+ ],
+ [
+ "alertNotifications",
+ "eq"
+ ]
+ ],
+ "id_suffix": "security_contact_notification_disabled"
+}
diff --git a/rules/findings/Azure/Subscription/azure-security-contact-send-email-to-owners-disabled.json b/rules/findings/Azure/Subscription/azure-security-contact-send-email-to-owners-disabled.json
new file mode 100644
index 00000000..376f6698
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-security-contact-send-email-to-owners-disabled.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Enable security alert emails to subscription owners",
+ "description": "Azure Security Center best practices recommend that security contact details for the affected Azure subscription should be added. This information will be used by Microsoft to contact subscription\u0027s owner if the Microsoft Security Response Center (MSRC) discovers that the subscription data has potentially been accessed by an unlawful or unauthorized party.",
+ "rationale": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
+ "impact": null,
+ "remediation": '
+ ###### From Azure Console
+ 1. Navigate to `Security Center`
+ 2. Click on Pricing & settings
+ 3. Click on the appropriate Management Group, Subscription, or Workspace
+ 4. Click on `Email notifications`
+ 5. In the drop down of the `All users with the following roles` field select Owner
+ 6. Click Save
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.15"
+ }
+ ],
+ "tags": null,
+ "path": "az_security_contacts",
+ "display_path": "az_security_contacts",
+ "conditions": [
+ "or",
+ [
+ "alertsToAdmins",
+ "eq",
+ "Off"
+ ],
+ [
+ "alertsToAdmins",
+ "eq"
+ ]
+ ],
+ "id_suffix": "security_contact_email_to_owners_disabled"
+}
diff --git a/rules/findings/Azure/Subscription/azure-subscription-custom-role-excessive-permissions.json b/rules/findings/Azure/Subscription/azure-subscription-custom-role-excessive-permissions.json
new file mode 100644
index 00000000..ca81d50a
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-subscription-custom-role-excessive-permissions.json
@@ -0,0 +1,50 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that no custom owner roles are created",
+ "description": "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
+ "rationale": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.",
+ "impact": null,
+ "remediation": "
+ ###### Using Azure Command Line Interface 2.0
+ `az role definition list`
+ Check for entries with `assignableScope` of **/** or a `subscription`, and an action of `*`.
+ Verify the usage and impact of removing the role identified:
+ `az role definition delete --name 'rolename'`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.20"
+ }
+ ],
+ "tags": null,
+ "path": "az_role_definitions",
+ "display_path": "az_role_definitions",
+ "conditions": [
+ "and",
+ [
+ "_INCLUDE_(conditions/subscription-role-permissions.json)",
+ "",
+ ""
+ ],
+ [
+ "properties.type",
+ "eq",
+ "CustomRole"
+ ]
+ ],
+ "id_suffix": "azure_subscription_custom_role_definition"
+}
diff --git a/rules/findings/Azure/Subscription/azure-subscription-missing-custom-lock-role.json b/rules/findings/Azure/Subscription/azure-subscription-missing-custom-lock-role.json
new file mode 100644
index 00000000..d0e5bb6c
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-subscription-missing-custom-lock-role.json
@@ -0,0 +1,89 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure Custom Role is assigned for Administering Resource Locks",
+ "description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.",
+ "rationale": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.",
+ "impact": "By adding this role is you can have specific permissions granted for managing just resource locks rather than needing to provide the wide owner or contributor role reducing the risk of the user being able to do unintentional damage.",
+ "remediation": '
+ ###### From Azure Console
+ 1. In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
+ 2. Select `Access control (IAM)`
+ 3. Click `Add`
+ 4. Select `Add custom role`
+ 5. In the Custom Role Name field enter `Resource Lock Administrator`
+ 6. In the `Description` field enter appropiate description
+ 7. For `Baseline permissions` select `Start from scratch`
+ 8. Click `next`
+ 9. In the `Permissions` tab select `Add permissions`
+ 10. in the Search for a permission box, type in `Microsoft.Authorization/locks` to search for permissions.
+ 11. Select the check box next to the permission called Microsoft.Authorization/locks
+ 12. Click `add`
+ 13. Click `Review+create`
+ 14. Click `Create`
+
+ Assign the newly created role to the appropriate user.
+
+ ###### Using PowerShell:
+ Below is a power shell definition for a resource lock administrator role created at an Azure Management group level:
+
+ ```
+ Import-Module Az.Accounts
+ Connect-AzAccount
+ $role = Get-AzRoleDefinition "User Access Administrator"
+ $role.Id = $null
+ $role.Name = "Resource Lock Administrator"
+ $role.Description = "Can Administer Resource Locks"
+ $role.Actions.Clear()
+ $role.Actions.Add("Microsoft.Authorization/locks/*")
+ $role.AssignableScopes.Clear()
+ #Scope at the Management group level Management group
+ $role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/MG-Name")
+ New-AzRoleDefinition -Role $role
+ Get-AzureRmRoleDefinition "Resource Lock Administrator"
+ ```
+',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.22"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.22"
+ ],
+ "path": "az_role_definitions",
+ "display_path": "az_role_definitions",
+ "conditions": [
+ "and",
+ [
+ "properties.type",
+ "eq",
+ "CustomRole"
+ ],
+ [
+ "properties.permissions.actions",
+ "match",
+ "Microsoft.Authorization/locks/*"
+ ]
+
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "Missing Role": "Custom Resource Lock Administrator",
+ "Status": "DoesNotExists"
+ },
+ "id_suffix": "azure_subscription_missing_custom_lock_role"
+}
diff --git a/rules/findings/Azure/Subscription/azure-subscription-missing-lock.json b/rules/findings/Azure/Subscription/azure-subscription-missing-lock.json
new file mode 100644
index 00000000..d3aaec18
--- /dev/null
+++ b/rules/findings/Azure/Subscription/azure-subscription-missing-lock.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Subscription Security",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that Resource Locks are set for Mission Critical Azure Resources",
+ "description": "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.",
+ "rationale": "
+ As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to CanNotDelete or ReadOnly to achieve this purpose.
+
+ * `CanNotDelete` means authorized users can still read and modify a resource, but they can't delete the resource.
+ * `ReadOnly` means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
+ ",
+ "impact": "",
+ "remediation": '
+ ###### From Azure Console
+ 1. Navigate to the specific Azure Resource or Resource Group
+ 2. For each of the mission critical resource, click on `Locks`
+ 3. Click `Add`
+ 4. Give the lock a name and a description, then select the type, `CanNotDelete` or `ReadOnly` as appropriate
+ Assign the newly created role to the appropriate user.
+',
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "8.5"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.4.0"
+ ],
+ "path": "az_locks",
+ "display_path": "az_locks",
+ "conditions": [
+ "and",
+ [
+ "locks",
+ "eq",
+ ""
+ ]
+
+ ],
+ "id_suffix": "azure_subscription_missing_custom_lock_role"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-automatic-vm-agent-provisioning-policy-disabled.json b/rules/findings/Azure/Virtual Machines/azure-automatic-vm-agent-provisioning-policy-disabled.json
new file mode 100644
index 00000000..c0ce5894
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-automatic-vm-agent-provisioning-policy-disabled.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Subscription Policies",
+ "menu_name": "Subscription",
+ "issue_name": "Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'",
+ "description": "Consider to enable automatic provisioning of the monitoring agent to collect security data.",
+ "rationale": "When `Automatic provisioning of monitoring agent` is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
+ "impact": null,
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Security Center`
+ 2. Select `Pricing & settings` blade
+ 3. Click on the subscription name
+ 4. Click on `Data Collection`
+ 5. Set `Automatic provisioning` to `On`
+ 6. Select `Save`
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection",
+ "https://msdn.microsoft.com/en-us/library/mt704062.aspx",
+ "https://msdn.microsoft.com/en-us/library/mt704063.aspx",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list",
+ "https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.11"
+ }
+ ],
+ "tags": null,
+ "path": "az_vm_provisioning_status",
+ "display_path": "az_vm_provisioning_status",
+ "conditions": [
+ "and",
+ [
+ "autoprovision",
+ "ne",
+ "On"
+ ]
+ ],
+ "id_suffix": "azure_vm_autoprovision_disabled"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-os-disk-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/azure-os-disk-encryption-disabled.json
new file mode 100644
index 00000000..1a4976bb
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-os-disk-encryption-disabled.json
@@ -0,0 +1,37 @@
+{
+ "dashboard_name": "Azure Disks",
+ "menu_name": "Storage",
+ "issue_name": "Enable Disk encryption recommendations for OS disks",
+ "description": "Ensure that OS disks (boot volumes) are encrypted, where possible. Encrypting the IaaS VM\u0027s OS disk (boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's.",
+ "rationale": "While it is recommended to use managed disks that are encrypted by default, `legacy` disk that may for a number of reasons need to be left as VHD's should also be encrypted to protect the data content. These `legacy` VHD's are not encrypted by default",
+ "impact": "Depending on how the encryption is implemented will change the size of the impact, if provider managed keys (PMK) are utilised the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer managed keys (CMK) are utilised a key management process needs to be implemented to store and manage key rotation and thus the impact is medium to high depending on user maturity with key management.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview",
+ "https://docs.microsoft.com/en-us/azure/governance/policy/overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.7"
+ }
+ ],
+ "tags": null,
+ "path": "az_managed_disks",
+ "display_path": "az_managed_disks",
+ "conditions": [
+ "and",
+ [
+ "ostype",
+ "ne",
+ ""
+ ],
+ [
+ "os_disk_encryption",
+ "eq",
+ "Disabled"
+ ]
+ ],
+ "id_suffix": "azure_os_disk_encryption_disabled"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-os-managed-disk-disabled.json b/rules/findings/Azure/Virtual Machines/azure-os-managed-disk-disabled.json
new file mode 100644
index 00000000..3e070483
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-os-managed-disk-disabled.json
@@ -0,0 +1,53 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Ensure Virtual Machines are utilizing Managed Disks",
+ "description": "
+ Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:
+ 1. Default Disk Encryption
+ 2. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
+ 3. Reduction of costs over storage accounts
+ ",
+ "rationale": "
+ Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.
+ For ARM deployed Virtual Machines, Azure Adviser will at some point recommend moving VHD's to managed disks both from a security and cost management perspective.
+ ",
+ "impact": "
+ There is no operational impact of migrating to managed disks other than the benefits mentioned above.
+ **NOTE** When converting to managed disks VMs will be powered off and back on.
+ ",
+ "remediation": "
+ ###### From Azure Console
+ 1. Using the search feature, go to `Virtual Machines`
+ 2. Select the virtual machine you would like to convert
+ 3. Select `Disks` in the menu for the VM
+ 4. At the top select `Migrate to managed disks`
+ 5. You may follow the prompts to convert the disk and finish by selecting `Migrate` to start the process
+
+ **NOTE** VMs will be stopped and restarted after migration is complete.
+
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview",
+ "https://docs.microsoft.com/en-us/azure/governance/policy/overview"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.1"
+ }
+ ],
+ "tags": null,
+ "path": "az_virtual_machines",
+ "display_path": "az_virtual_machines",
+ "conditions": [
+ "and",
+ [
+ "os_managed_disk",
+ "ne",
+ "true"
+ ]
+ ],
+ "id_suffix": "azure_os_managed_disk_disabled"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-unattached-disk-sse-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/azure-unattached-disk-sse-encryption-disabled.json
new file mode 100644
index 00000000..de16017c
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-unattached-disk-sse-encryption-disabled.json
@@ -0,0 +1,53 @@
+{
+ "dashboard_name": "Azure Disks",
+ "menu_name": "Compute",
+ "issue_name": "Ensure that unassigned disks are encrypted with customer managed keys",
+ "description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).",
+ "rationale": "Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.",
+ "impact": "
+ Encryption is available only on Standard tier VMs. This might cost you more.
+ Utilizing and maintaining Customer-managed keys will require additional work to created, protect, and rotate keys.
+ ",
+ "remediation": "
+ If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:
+ * https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
+ * https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
+ If data stored in the disk is important, To encrypt the disk refer azure documentation at:
+ * https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
+ * https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json",
+ "https://docs.microsoft.com/en-us/rest/api/compute/disks/delete",
+ "https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete",
+ "https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings",
+ "https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest"
+
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.3"
+ }
+ ],
+ "tags": null,
+ "path": "az_managed_disks",
+ "display_path": "az_managed_disks",
+ "conditions": [
+ "and",
+ [
+ "managedBy",
+ "eq",
+ ""
+ ],
+ [
+ "sse_encryption",
+ "ne",
+ "EncryptionAtRestWithCustomerKey"
+ ]
+ ],
+ "id_suffix": "unattached_disk_sse_encryption_disabled"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-vm-antimalware-disabled.json b/rules/findings/Azure/Virtual Machines/azure-vm-antimalware-disabled.json
new file mode 100644
index 00000000..c0620184
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-vm-antimalware-disabled.json
@@ -0,0 +1,31 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Install endpoint protection for all virtual machines",
+ "description": "Installing endpoint protection systems (like Antimalware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on Azure systems",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.6"
+ }
+ ],
+ "tags": null,
+ "path": "az_virtual_machines",
+ "display_path": "az_virtual_machines",
+ "conditions": [
+ "and",
+ [
+ "antimalwareAgent",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "az_vm_antimalware_disabled"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-vm-approved-extensions.json b/rules/findings/Azure/Virtual Machines/azure-vm-approved-extensions.json
new file mode 100644
index 00000000..27243d7b
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-vm-approved-extensions.json
@@ -0,0 +1,38 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Ensure that only approved extensions are installed",
+ "description": "Only install organization-approved extensions on VMs.",
+ "rationale": "Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.",
+ "impact": "",
+ "remediation": "
+ ###### From Azure Console
+ 1. Go to `Virtual machines`
+ 2. For each virtual machine, go to `Settings`
+ 3. Click on `Extensions`
+ 4. Ensure that the listed extensions are approved for use.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.4"
+ }
+ ],
+ "tags": null,
+ "path": "az_virtual_machines",
+ "display_path": "az_virtual_machines",
+ "conditions": [
+ "and",
+ [
+ "resources",
+ "ne",
+ ""
+ ]
+ ],
+ "id_suffix": "azure_os_allowed_extensions"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-vm-missing-critical-updates.json b/rules/findings/Azure/Virtual Machines/azure-vm-missing-critical-updates.json
new file mode 100644
index 00000000..a96ae0ed
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-vm-missing-critical-updates.json
@@ -0,0 +1,32 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Ensure that the latest Critical OS patches for all virtual machines are applied",
+ "description": "The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates",
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_vm_missing_patches",
+ "display_path": "az_vm_missing_patches",
+ "conditions": [
+ "and",
+ [
+ "MSRCSeverity",
+ "eq",
+ "Critical"
+ ]
+ ],
+ "id_suffix": "azure_vm_missing_critical_updates"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-vm-missing-moderate-updates.json b/rules/findings/Azure/Virtual Machines/azure-vm-missing-moderate-updates.json
new file mode 100644
index 00000000..bf5a3b4e
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-vm-missing-moderate-updates.json
@@ -0,0 +1,32 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Ensure that the latest moderate OS patches for all virtual machines are applied",
+ "description": "The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates",
+ "https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.5"
+ }
+ ],
+ "tags": null,
+ "path": "az_vm_missing_patches",
+ "display_path": "az_vm_missing_patches",
+ "conditions": [
+ "and",
+ [
+ "MSRCSeverity",
+ "eq",
+ "Moderate"
+ ]
+ ],
+ "id_suffix": "azure_vm_missing_moderate_updates"
+}
diff --git a/rules/findings/Azure/Virtual Machines/azure-vm-os-data-sse-encryption-disabled.json b/rules/findings/Azure/Virtual Machines/azure-vm-os-data-sse-encryption-disabled.json
new file mode 100644
index 00000000..a4177e09
--- /dev/null
+++ b/rules/findings/Azure/Virtual Machines/azure-vm-os-data-sse-encryption-disabled.json
@@ -0,0 +1,58 @@
+{
+ "dashboard_name": "Azure Virtual Machines",
+ "menu_name": "Compute",
+ "issue_name": "Ensure that OS and Data disks are encrypted with customer managed keys",
+ "description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.",
+ "rationale": "Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.",
+ "impact": "Using CMK/BYOK will entail additional management of keys.
+ **NOTE**: You must have your key vault setup to utilize this.
+ ",
+ "remediation": "
+ ###### From Azure Console
+ **Note**: Disks must be detached from VMs to have encryption changed.
+ 1. Go to `Virtual machines`
+ 2. For each virtual machine, go to `Settings`
+ 3. Click on `Disks`
+ 4. Click the `X` to detach the disk from the VM
+ 5. Now search for `Disks` and locate the unattached disk
+ 6. Click the disk then select `Encryption`
+ 7. Change your encryption type, then select your encryption set
+ 8. Click `Save`
+ 9. Go back to the VM and re-attach the disk
+
+ ",
+ "references": [
+ "https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss",
+ "https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json",
+ "https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest",
+ "https://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart",
+ "https://docs.microsoft.com/en-us/rest/api/compute/disks/delete",
+ "https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings",
+ "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest",
+ "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.2"
+ }
+ ],
+ "tags": null,
+ "path": "az_virtual_machines",
+ "display_path": "az_virtual_machines",
+ "conditions": [
+ "or",
+ [
+ "os_sse_encryption",
+ "ne",
+ "EncryptionAtRestWithCustomerKey"
+ ],
+ [
+ "data_disks.sse_encryption",
+ "ne",
+ "EncryptionAtRestWithCustomerKey"
+ ]
+ ],
+ "id_suffix": "az_vm_os_data_disks_cmk_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-default-safe-links-policy-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-default-safe-links-policy-disabled.json
new file mode 100644
index 00000000..cd57641b
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-default-safe-links-policy-disabled.json
@@ -0,0 +1,96 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure the Default Advanced Threat Protection Safe Links policy is enabled",
+ "description": "Enabling the Advanced Threat Protection (ATP) Safe Links policy allows email messages that include URLs to be processed and rewritten if required. ATP Safe Links provides time of-click verification of web addresses in email messages and Office documents.",
+ "rationale": "ATP Safe Links extends phishing protection to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after the email has been delivered to the end user.",
+ "impact": "When enabling and configuring ATP Safe Links impact to the end-user should be low. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked",
+ "remediation": '
+ ###### To enable the Safe Links policy, use the Microsoft 365 Admin Center
+ 1. Click `Security` to open the `Security portal`.
+ 2. Navigate to `Threat management` *>* `Policy` *>* `Safe Links`.
+ 3. Click `Create`, name the policy, and then click `Next`.
+ 4. Choose whether the policy will apply to `Users, Groups, or Domains` then select `Next`.
+ 5. Under `Protection settings` click `On - URLs will be rewritten and checked
+ against a list of known malicious links when user clicks on the link.`, select the same for Microsoft Teams.
+ 6. Click the following options - `Apply Safe Links to email messages sent within the organization, Do not let users click through to the original URL` then click Next.
+ 7. You may choose to use default or a custom text, then click `Next`.
+ 8. Click `Submit`.
+
+ ###### To enable the ATP Safe Links policy, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ $p = @{
+ Name = "Monkey 365 all company";
+ EnableSafeLinksForEmail = $true;
+ EnableSafeLinksForTeams = $true;
+ ScanUrls = $true;
+ DeliverMessageAfterScan = $true;
+ EnableForInternalSenders = $true;
+ AllowClickThrough = $false;
+ }
+ New-SafeLinksPolicy @p
+ ```
+ ###### Once a new Safe Link policy is created, a new Safe Link rule should be set.
+ ```powershell
+ $p = @{
+ Name = "Monkey 365 all company";
+ SafeLinksPolicy = "Monkey 365 all company";
+ RecipientDomainIs = "monkey365domain.com";
+ }
+ New-SafeLinksRule @p
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/office365/securitycompliance/atp-safe-links",
+ "https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-atp-safe-links-policies"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.5"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.5"
+ ],
+ "path": "o365_exo_safelinks_info",
+ "display_path": "o365_exo_safelinks_info",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "eq",
+ "True"
+ ],
+ [
+ "policyName",
+ "match",
+ "Built-In"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "Policy.ScanUrls",
+ "eq",
+ "False"
+ ],
+ [
+ "Policy.AllowClickThrough",
+ "eq",
+ "True"
+ ],
+ [
+ "Policy.EnableSafeLinksForEmail",
+ "eq",
+ "False"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "o365_exo_default_safe_link_policy_missing"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-attachments-policy-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-attachments-policy-disabled.json
new file mode 100644
index 00000000..4272f379
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-attachments-policy-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure the Advanced Threat Protection Safe Attachments policy is enabled",
+ "description": "Enabling the Advanced Threat Protection Safe Attachments policy extends malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent.",
+ "rationale": "This policy increases the likelihood of identifying and stopping previously unknown malware.",
+ "impact": "Delivery of email with attachments may be delayed while scanning is occurring.",
+ "remediation": '
+ ###### To enable the ATP Safe Attachments policy, use the Microsoft 365 Admin Center
+ 1. Click `Security` to open the `Security portal`.
+ 2. Navigate to `Threat management`, then `Policy`, and select `Safe Attachments`.
+ 3. Click `+`.
+ 4. Enter Policy Name and Description followed by the Users, Groups, or Domains it will
+ apply to.
+ 5. Select `Block`, `Monitor`, `Replace` or `Dynamic Delivery` based on your organizational policies.
+ 6. Select `Next`.
+ 7. Select `Submit` followed by `Done`.
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.4"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.8"
+ ],
+ "path": "o365_exo_safe_attachment_policy",
+ "display_path": "o365_exo_safe_attachment_policy",
+ "conditions": [
+ "and",
+ [
+ "Enable",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_exo_safe_attachment_policy_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-links-office-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-links-office-disabled.json
new file mode 100644
index 00000000..6eead369
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Advanced Threat Protection/exchange-atp-safe-links-office-disabled.json
@@ -0,0 +1,62 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure O365 ATP SafeLinks for Office Applications is Enabled",
+ "description": "Enabling the Advanced Threat Protection (ATP) Safe Links policy for Office applications allows URL\u0027s that existing inside of Office documents opened by Office, Office Online and Office mobile to be processed against ATP time-of-click verification.",
+ "rationale": "ATP Safe Links for Office applications extends phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.",
+ "impact": "User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site.",
+ "remediation": '
+ ###### To enable the ATP Safe Links policy for Office, use the Microsoft 365 Admin Center
+ 1. Select `Admin Center` and Click to expand `Security`.
+ 2. Navigate to `Threat management` and select `Policy`.
+ 3. Select `Safe Links` followed by `Global Settings`.
+ 4. Select `Use Safe Links in Office 365 apps and Do not let users click through to the original URL in Office 365 apps`.
+ 5. Click `Save`.
+
+ ###### To enable the ATP Safe Links policy for Office 365, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-AtpPolicyForO365 -AllowClickThrough $False -EnableSafeLinksForClients $true
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.3"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 2.3"
+ ],
+ "path": "o365_exo_atp_policy",
+ "display_path": "o365_exo_atp_policy",
+ "conditions": [
+ "or",
+ [
+ "AllowClickThrough",
+ "eq",
+ "false"
+ ],
+ [
+ "EnableSafeLinksForClients",
+ "eq",
+ "false"
+ ],
+ [
+ "EnableSafeLinksForO365Clients",
+ "eq",
+ "false"
+ ],
+ [
+ "EnableSafeLinksForWebAccessCompanion",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_exo_safe_links_office_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Anti Spam Protection/exchange-outbound-spam-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Anti Spam Protection/exchange-outbound-spam-disabled.json
new file mode 100644
index 00000000..07bef9bd
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Anti Spam Protection/exchange-outbound-spam-disabled.json
@@ -0,0 +1,69 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure Exchange Online Spam Policies are set correctly",
+ "description": "Organisations should set Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.",
+ "rationale": "A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.",
+ "impact": "Notification of users that have been blocked should not cause an impact to the user.",
+ "remediation": '
+ ###### To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center
+ 1. Click `Security` to open the Security portal.
+ 2. Navigate to `Threat management`, then `Policy`, and select `Anti-spam`.
+ 3. Click `Anti-spam outbound policy`.
+ 4. Select `Edit policy` then expand `Notification`.
+ 5. Check `Send a copy of outbound messages that exceed these limits to these users and groups`, then select `+Add people`, and enter the desired email addresses.
+ 6. Check `Notify specific people if senders are blocked`, then select `+Add people`, and enter the desired email addresses.
+ 7. Click `Save`.
+
+ ###### To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ $BccEmailAddress = @("")
+ $NotifyEmailAddress = @("")
+ Set-HostedOutboundSpamFilterPolicy -Identity Default -
+ BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -
+ BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -
+ NotifyOutboundSpamRecipients $NotifyEmailAddress
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.2"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.2"
+ ],
+ "path": "o365_exo_hosted_spam_policy",
+ "display_path": "o365_exo_hosted_spam_policy",
+ "conditions": [
+ "or",
+ [
+ "BccSuspiciousOutboundMail",
+ "eq",
+ "False"
+ ],
+ [
+ "BccSuspiciousOutboundAdditionalRecipients.Count",
+ "eq",
+ "0"
+ ],
+ [
+ "NotifyOutboundSpam",
+ "eq",
+ "False"
+ ],
+ [
+ "NotifyOutboundSpamRecipients.Count",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "o365_exo_outbound_spam_notification_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-mail-transport-rules-forward-enabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-mail-transport-rules-forward-enabled.json
new file mode 100644
index 00000000..50574358
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-mail-transport-rules-forward-enabled.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure mail transport rules do not forward email to external domains",
+ "description": "Consider to set Exchange Online mail transport rules to not forward email to domains outside of your organization.",
+ "rationale": "Attackers often create these rules to exfiltrate data from your tenancy.",
+ "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.",
+ "remediation": '
+ ###### To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center
+ 1. Select `Exchange`.
+ 2. Select `Mail Flow` and `Rules`.
+ 3. For each rule that forwards email to external domains, select the rule and click the *Delete* icon.
+
+ ###### To perform remediation you may also use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Remove-TransportRule {RuleName}
+ ```
+ 3. To verify this worked you may re-run the audit command as follows:
+ ```powershell
+ Get-TransportRule | Where-Object {$null -ne $_.RedirectMessageTo} | ft Name,RedirectMessageTo
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.3"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.3"
+ ],
+ "path": "o365_exo_transport_rules",
+ "display_path": "o365_exo_transport_rules",
+ "conditions": [
+ "and",
+ [
+ "RedirectMessageTo",
+ "ne",
+ ""
+ ]
+ ],
+ "id_suffix": "o365_exo_transport_rules_forward_enabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-transport-rules-domain-whitelisted.json b/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-transport-rules-domain-whitelisted.json
new file mode 100644
index 00000000..b4392688
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Mail Transport Rules/exchange-transport-rules-domain-whitelisted.json
@@ -0,0 +1,71 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure mail transport rules do not whitelist specific domains",
+ "description": "Consider to set Exchange Online mail transport rules so they do not whitelist any specific domains.",
+ "rationale": "Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.",
+ "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.",
+ "remediation": '
+ ###### To alter the mail transport rules so they do not whitelist any specific domains, use the Microsoft 365 Admin Center
+ 1. Select `Exchange`.
+ 2. Select `Mail Flow` and `Rules`.
+ 3. For each rule that whitelists specific domains, select the rule and click the *Delete* icon.
+
+ ###### To remove mail transport rules you may also use the Exchange Online PowerShell
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Remove-TransportRule {RuleName}
+ ```
+ 3. To verify this worked you may re-run the audit command as follows:
+ ```powershell
+ Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $null -ne $_.SenderDomainIs)} | ft Name,SenderDomainIs
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions",
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "4.5"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.5"
+ ],
+ "path": "o365_exo_transport_rules",
+ "display_path": "o365_exo_transport_rules",
+ "conditions": [
+ "and",
+ [
+ "setscl",
+ "eq",
+ "-1"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "SenderDomainIs",
+ "ne",
+ ""
+ ],
+ [
+ "FromAddressContainsWords",
+ "ne",
+ ""
+ ],
+ [
+ "FromAddressMatchesPatterns",
+ "ne",
+ ""
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "o365_exo_transport_rules_domain_whitelisted"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-anti-malware-admin-notification-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-anti-malware-admin-notification-disabled.json
new file mode 100644
index 00000000..b8ddadec
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-anti-malware-admin-notification-disabled.json
@@ -0,0 +1,59 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure notifications for internal users sending malware is Enabled For Administrators",
+ "description": "Consider to setup the Exchange Online Protection malware filter to notify administrators if internal senders are blocked for sending malware.",
+ "rationale": "This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated.",
+ "impact": "Notification of account with potential issues should not cause an impact to the user.",
+ "remediation": '
+ ###### To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center
+ 1. Select Security.
+ 2. Expand `Threat Management`then select `Policy`.
+ 3. Select `Anti-Malware`.
+ 4. Change the setting `Notify administrator about undelivered messages from internal senders` to `Always On` and enter the email address of the administrator who should be notified under `Administrator email address`.
+ ###### To check the setting from PowerShell, use the Exchange Online Module for PowerShell
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ set-MalwareFilterPolicy -Identity \'{Identity Name}\' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/anti-spam-and-anti-malware-protection-eop"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.11"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_malware_policy",
+ "display_path": "o365_exo_malware_policy",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "eq",
+ "True"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "Policy.EnableInternalSenderAdminNotifications",
+ "eq",
+ "false"
+ ],
+ [
+ "Policy.InternalSenderAdminAddress.Length",
+ "eq",
+ "0"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "o365_exo_anti_malware_admin_notification_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-common-attachment-type-filter-enabled.json b/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-common-attachment-type-filter-enabled.json
new file mode 100644
index 00000000..157abf09
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/Malware Protection/exchange-common-attachment-type-filter-enabled.json
@@ -0,0 +1,63 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure the Common Attachment Types Filter is enabled",
+ "description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.",
+ "rationale": "Blocking known malicious file types can help prevent malware-infested files from infecting a host.",
+ "impact": "Blocking common malicious file types should not cause an impact in modern computing environments.",
+ "remediation": '
+ ###### To enable the Common Attachment Types Filter, use the Microsoft 365 Admin Portal
+ 1. Click `Security` to open the Security portal.
+ 2. Navigate to `Threat management`, then `Policy`, and select `Anti-malware`.
+ 3. Edit the `Default` profile, then click Edit protection settings at the bottom of the window.
+ 4. Select `Enable the common attachments filter`.
+ 5. Click `Save`.
+
+ ###### To enable the Common Attachment Types Filter, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/powershell/module/exchange/antispam-antimalware/Get-MalwareFilterPolicy?view=exchange-ps",
+ "https://docs.microsoft.com/en-us/office365/SecurityCompliance/configure-anti-malware-policies#use-remote-powershell-to-configure-anti-malware-policies",
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.1"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_malware_policy",
+ "display_path": "o365_exo_malware_policy",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "eq",
+ "True"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "Policy.EnableFileFilter",
+ "ne",
+ "true"
+ ],
+ [
+ "Policy.FileTypes.Count",
+ "eq",
+ "0"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "o365_exo_attachment_type_filter_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-anti-phishing-policy-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-anti-phishing-policy-disabled.json
new file mode 100644
index 00000000..2b570b5d
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-anti-phishing-policy-disabled.json
@@ -0,0 +1,50 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure that an anti-phishing policy has been created",
+ "description": "By default, Microsoft 365 includes built-in features that help protect your users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.",
+ "rationale": "Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.",
+ "impact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable.",
+ "remediation": '
+ ###### To set the anti-phishing policy, use the Microsoft 365 Admin Center
+ 1. Select Security.
+ 2. Expand `Threat Management`then select `Policy`.
+ 3. Select `Anti-phishing`.
+ 4. Click `Create` to create an anti-phishing policy.
+
+ ###### To create an anti-phishing policy, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ New-AntiPhishPolicy -Name "Microsoft 365 AntiPhish Policy"
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "4.10"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_anti_phishing_info",
+ "display_path": "o365_exo_anti_phishing_info",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "ne",
+ "true"
+ ],
+ [
+ "policyName",
+ "eq",
+ "Office365 AntiPhish Default"
+ ]
+ ],
+ "id_suffix": "o365_exo_anti_phishing_policy_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-automatic-forward-enabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-automatic-forward-enabled.json
new file mode 100644
index 00000000..e713e4b9
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-automatic-forward-enabled.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure automatic forwarding options are disabled",
+ "description": "Consider to disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web.",
+ "rationale": "In the event that an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment.",
+ "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.",
+ "remediation": '
+ ###### To perform remediation you may use the Exchange Online PowerShell Module:
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-RemoteDomain Default -AutoForwardEnabled $false
+ ```
+ 3. To verify this worked you may re-run the audit command as follows:
+ ```powershell
+ Get-RemoteDomain Default | fl AllowedOOFType, AutoForwardEnabled
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "4.3"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 4.4"
+ ],
+ "path": "o365_exo_remote_domain",
+ "display_path": "o365_exo_remote_domain",
+ "conditions": [
+ "and",
+ [
+ "AutoForwardEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "o365_exo_automatic_forward_enabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-calendar-sharing-external-user-enabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-calendar-sharing-external-user-enabled.json
new file mode 100644
index 00000000..852550b8
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-calendar-sharing-external-user-enabled.json
@@ -0,0 +1,47 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure calendar details sharing with external users is disabled",
+ "description": "Consider to not allow your users to share the full details of their calendars with external users.",
+ "rationale": "Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.",
+ "impact": "This functionality is not widely used. As a result, it is unlikely that implementation of this setting will cause an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant.",
+ "remediation": '
+ ###### To disable calendar details sharing with external users, use the Microsoft 365 Admin Center
+ 1. Select `Admin Center` and Click to expand `Settings`.
+ 2. Click `Org Settings`.
+ 3. Click `Calendar`.
+ 4. Set `Let your users share their calendars with external users who have O365 or Exchange` to Off or unchecked.
+ 5. Click `Save`.
+
+ ###### To disabled calendar details sharing with external users policy, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-SharingPolicy -Identity "Name of the policy" -Enabled $False
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/exchange/sharing/sharing"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "2.2"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 2.2"
+ ],
+ "path": "o365_exo_sharing_policy",
+ "display_path": "o365_exo_sharing_policy",
+ "conditions": [
+ "and",
+ [
+ "Domains",
+ "like",
+ "*CalendarSharing*"
+ ]
+ ],
+ "id_suffix": "o365_exo_calendar_sharing_external_enabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-customer-lockout-feature-enabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-customer-lockout-feature-enabled.json
new file mode 100644
index 00000000..d59dac94
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-customer-lockout-feature-enabled.json
@@ -0,0 +1,46 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure the customer lockbox feature is enabled",
+ "description": "Consider to enable the Customer Lockbox feature. It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an expiration time, and content access is removed after the support engineer has fixed the issue.",
+ "rationale": "Enabling this feature protects your data against data spillage and exfiltration.",
+ "impact": "The impact associated with this setting is a requirement to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.",
+ "remediation": '
+ ###### To enable the Customer Lockbox feature, use the Microsoft 365 Admin Portal
+ 1. Browse to the `Microsoft 365 admin center`.
+ 2. Expand `Settings` and then select `Org Settings`.
+ 3. Choose `Security & privacy` in the right pane.
+ 4. Click `Customer Lockbox`.
+ 5. Check the the box `Require approval for all data access requests`.
+ 6. Click `Save changes`.
+
+ ###### To set the Customer Lockbox feature to enabled, use the Microsoft Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-OrganizationConfig -CustomerLockBoxEnabled $true
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-lockbox-requests?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "3.1"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_org_config",
+ "display_path": "o365_exo_org_config",
+ "conditions": [
+ "and",
+ [
+ "CustomerLockBoxEnabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_exo_customer_lockout_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-mailtips-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-mailtips-disabled.json
new file mode 100644
index 00000000..4e92a4fb
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-mailtips-disabled.json
@@ -0,0 +1,54 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure MailTips are enabled for end users",
+ "description": "Consider to enable MailTips, which is designed to assist end users with identifying strange patterns to emails they send.",
+ "rationale": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.",
+ "impact": "",
+ "remediation": '
+ ###### To enable MailTips, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold \'25\'
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "4.15"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_org_config",
+ "display_path": "o365_exo_org_config",
+ "conditions": [
+ "or",
+ [
+ "MailTipsAllTipsEnabled",
+ "eq",
+ "false"
+ ],
+ [
+ "MailTipsExternalRecipientsTipsEnabled",
+ "eq",
+ "false"
+ ],
+ [
+ "MailTipsGroupMetricsEnabled",
+ "eq",
+ "false"
+ ],
+ [
+ "MailTipsLargeAudienceThreshold",
+ "lt",
+ "25"
+ ]
+
+ ],
+ "id_suffix": "o365_exo_mailtips_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-modern-authentication-disabled.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-modern-authentication-disabled.json
new file mode 100644
index 00000000..7df6b08d
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-modern-authentication-disabled.json
@@ -0,0 +1,38 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure modern authentication for Exchange Online is enabled",
+ "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern authentication to log in to Microsoft 365 mailboxes.",
+ "rationale": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by Exchange Online email clients such as Outlook 2016 and Outlook 2013. Enabling modern authentication for Exchange Online ensures strong authentication mechanisms are used when establishing sessions between email clients and Exchange Online.",
+ "impact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.",
+ "remediation": '
+ ###### To disable basic authentication, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-ExchangeOnline`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "1.2"
+ }
+ ],
+ "tags": null,
+ "path": "o365_exo_org_config",
+ "display_path": "o365_exo_org_config",
+ "conditions": [
+ "and",
+ [
+ "OAuth2ClientProfileEnabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_exo_modern_auth_disabled"
+}
diff --git a/rules/findings/Microsoft 365/ExchangeOnline/exchange-owa-external-storage-allowed.json b/rules/findings/Microsoft 365/ExchangeOnline/exchange-owa-external-storage-allowed.json
new file mode 100644
index 00000000..36d106e0
--- /dev/null
+++ b/rules/findings/Microsoft 365/ExchangeOnline/exchange-owa-external-storage-allowed.json
@@ -0,0 +1,44 @@
+{
+ "dashboard_name": "Exchange Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure external storage providers available in Outlook on the Web are restricted",
+ "description": "Consider to restrict storage providers that are integrated with Outlook on the Web.",
+ "rationale": "By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.",
+ "impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
+ "remediation": '
+ ###### To disable external storage providers, use the Exchange Online PowerShell Module
+ 1. Connect to Exchange Online using `Connect-EXOPSSession`
+ 2. Run the following PowerShell command:
+ ```powershell
+ Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
+ ```
+ 3. Run the following Powershell command to verify that the value is now False:
+ ```powershell
+ Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-owamailboxpolicy?view=exchange-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "6.4"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 6.4"
+ ],
+ "path": "o365_exo_owa_mbox_policy",
+ "display_path": "o365_exo_owa_mbox_policy",
+ "conditions": [
+ "and",
+ [
+ "AdditionalStorageProvidersAvailable",
+ "eq",
+ "true"
+ ]
+ ],
+ "id_suffix": "o365_exo_owa_additional_storage_allowed"
+}
diff --git a/rules/findings/Microsoft 365/MicrosoftForms/forms-internal-phishing-protection-disabled.json b/rules/findings/Microsoft 365/MicrosoftForms/forms-internal-phishing-protection-disabled.json
new file mode 100644
index 00000000..6d76e5d7
--- /dev/null
+++ b/rules/findings/Microsoft 365/MicrosoftForms/forms-internal-phishing-protection-disabled.json
@@ -0,0 +1,38 @@
+{
+ "dashboard_name": "Microsoft Forms",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure internal phishing protection for Forms is enabled",
+ "description": "Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request.",
+ "rationale": "Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs.",
+ "impact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.",
+ "remediation": '
+ ###### To set Microsoft Forms settings use the Microsoft 365 Admin Center
+ 1. Expand `Settings` then select `Org settings`.
+ 2. Under Services select `Microsoft Forms`.
+ 3. Select the checkbox for `Add internal phishing protection`.
+ 4. Click `Save`
+ ',
+ "references": [
+ "https://support.microsoft.com/en-us/office/administrator-settings-for-microsoft-forms-48161c55-fbae-4f37-8951-9e3befc0248b",
+ "https://support.microsoft.com/en-us/office/review-and-unblock-forms-or-users-detected-and-blocked-for-potential-phishing-879a90d7-6ef9-4145-933a-fb53a430bced"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "2.10"
+ }
+ ],
+ "tags": null,
+ "path": "o365_forms_tenant_settings",
+ "display_path": "o365_forms_tenant_settings",
+ "conditions": [
+ "and",
+ [
+ "InOrgFormsPhishingScan",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_forms_phishing_protection_disabled"
+}
diff --git a/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-domain-allowed.json b/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-domain-allowed.json
new file mode 100644
index 00000000..3300d7d0
--- /dev/null
+++ b/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-domain-allowed.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Microsoft Teams",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure external domains are not allowed in Skype or Teams",
+ "description": "Disable the ability of your users to communicate via Skype or Teams with users outside your organization.",
+ "rationale": "You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Attackers may be able to pretend to be someone your user knows and then send malicious links or attachments, resulting in an account breach or leaked information.",
+ "impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not regularly communicate with external parties using Skype or Teams channels, then minimal impact is likely. However, if users do regularly utilize Teams and Skype for client communication, potentially significant impacts could occur, and users should be contacts, and if necessary, alternate mechanisms to continue this communication should be identified prior to disabling external access to Teams and Skype.",
+ "remediation": "
+ ###### To disable Skype forBusiness and Teams access with external users, use the Microsoft 365 Admin Center
+ 1. Under `Admin Centers` choose `Teams`.
+ 2. Expand `Org Wide Settings` then select `External Access`.
+ 3. Set `Users can communicate with Skype for Business and Teams users` to `Off`.
+ 4. Set `Skype for Business users can communicate with Skype users` to `Off`.
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoftteams/teams-skype-interop",
+ "https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/allow-users-to-contact-external-skype-for-business-users"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.3"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 3.3"
+ ],
+ "path": "o365_teams_skype_federation_settings",
+ "display_path": "o365_teams_skype_federation_settings",
+ "conditions": [
+ "or",
+ [
+ "AllowFederatedUsers",
+ "eq",
+ "True"
+ ],
+ [
+ "AllowPublicUsers",
+ "ne",
+ "True"
+ ]
+ ],
+ "id_suffix": "o365_skype_external_allowed"
+}
diff --git a/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-file-sharing-approved-storage.json b/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-file-sharing-approved-storage.json
new file mode 100644
index 00000000..9fc834b1
--- /dev/null
+++ b/rules/findings/Microsoft 365/MicrosoftTeams/teams-external-file-sharing-approved-storage.json
@@ -0,0 +1,85 @@
+{
+ "dashboard_name": "Microsoft Teams",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
+ "description": "Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.",
+ "rationale": "Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.",
+ "impact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
+ "remediation": "
+ ###### To Set external file sharing in Teams, use the Microsoft 365 Admin Center:
+ 1. Under `Admin Centers` choose `Teams`.
+ 2. Expand `Org Wide Settings` select `Teams settings`.
+ 3. Set each cloud storage service under Files to `On` if it is authorized.
+
+ **To verify external file sharing in Teams you may also utilize Powershell. Ensure that the Skype for business online, Windows Powershell module and Microsoft Teams module are both installed.**
+
+ 1. Install the Powershell module for teams. Skype module will need downloaded from Microsoft
+
+ ```Powershell
+ Install-Module MicrosoftTeams -Scope CurrentUser
+ Import-Module SkypeOnlineConnector
+ ```
+ 2. Connect to your tenant as a Global Administrator, methods will differ based on whether 2FA is enabled. See the following article for more information:
+ https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell
+ 3. Run the following command to verify which cloud storage providers are enabled for Teams
+ ```Powershell
+ Get-CsTeamsClientConfiguration | select allow*
+ ```
+ 4. Run the following Powershell command to disable external providers that are not authorized. (the example disables ShareFile, GoogleDrive, Box, and DropBox)
+ ```Powershell
+ Set-CsTeamsClientConfiguration -AllowGoogleDrive $false `
+ -AllowShareFile $false `
+ -AllowBox $false `
+ -AllowDropBox $false `
+ -AllowEgnyte $false
+ ```
+ 5. You may verify this worked by running the following Powershell command again.
+ ```Powershell
+ Get-CsTeamsClientConfiguration | select allow*
+ ```
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsclientconfiguration?view=skype-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.7"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 3.7"
+ ],
+ "path": "o365_teams_org_settings",
+ "display_path": "o365_teams_org_settings",
+ "conditions": [
+ "or",
+ [
+ "AllowDropBox",
+ "eq",
+ "True"
+ ],
+ [
+ "AllowBox",
+ "eq",
+ "True"
+ ],
+ [
+ "AllowGoogleDrive",
+ "eq",
+ "True"
+ ],
+ [
+ "AllowShareFile",
+ "eq",
+ "True"
+ ],
+ [
+ "AllowEgnyte",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "o365_teams_external_sharing_allowed"
+}
diff --git a/rules/findings/Microsoft 365/OneDrive/onedrive-sync-from-unmanaged-domains-enabled.json b/rules/findings/Microsoft 365/OneDrive/onedrive-sync-from-unmanaged-domains-enabled.json
new file mode 100644
index 00000000..be9691e9
--- /dev/null
+++ b/rules/findings/Microsoft 365/OneDrive/onedrive-sync-from-unmanaged-domains-enabled.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Microsoft OneDrive",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Block OneDrive for Business sync from unmanaged devices",
+ "description": "Consider to prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices.",
+ "rationale": "Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked",
+ "impact": "Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined.",
+ "remediation": '
+ ###### To block the sync client on unmanaged devices, use the Microsoft 365 Admin Center
+ 1. Navigate to Microsoft 365 administration portal, Click on `All Admin Centers` and then `OneDrive`.
+ 2. Click `Sync`.
+ 3. Ensure that `Allow syncing only on PCs joined to specific domains` is checked.
+ 4. Use the `Get-ADDomain` PowerShell command to obtain the GUID from each domain in your environment and add them to the box below.
+ 5. Click `Save`
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction?view=sharepoint-ps"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "6.2"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 6.2"
+ ],
+ "path": "o365_spo_tenant_sync_restrictions",
+ "display_path": "o365_spo_tenant_sync_restrictions",
+ "conditions": [
+ "or",
+ [
+ "IsUnmanagedSyncClientForTenantRestricted",
+ "eq",
+ "false"
+ ],
+ [
+ "AllowedDomainListForSyncClient.Count",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "ofb_sync_from_unmanaged_devices_enabled"
+}
diff --git a/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-audit-log-search-disabled.json b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-audit-log-search-disabled.json
new file mode 100644
index 00000000..fc79edfa
--- /dev/null
+++ b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-audit-log-search-disabled.json
@@ -0,0 +1,54 @@
+{
+ "dashboard_name": "Security and Compliance",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure Microsoft 365 audit log search is Enabled",
+ "description": "When audit log search in the Microsoft 365 Security \u0026 Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.",
+ "rationale": "Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes",
+ "impact": null,
+ "remediation": '
+ ###### To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center
+ 1. Log in as an Global Administrator
+ 2. Navigate to Office 365 security & compliance center.
+ 3. In the `Security & Compliance Center`, expand `Search` then select `Audit log search`.
+ 4. Click `Start recording user and admin activities` next to the information warning at the top.
+ 5. Click `Yes` on the dialog box to confirm.
+
+ ###### To enable Microsoft 365 audit log search, use the Exchange Online PowerShell Module
+ 1. Run Microsoft Exchange Online PowerShell Module.
+ 2. Connect using `Connect-EXOPSSession`.
+ 3. Run the following PowerShell command:
+
+ ```
+ Set-AdminAuditLogConfig -AdminAutidLogEnabled $true -UnifiedAuditLogIngestionEnabled $true
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "5.1"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 5.1"
+ ],
+ "path": "o365_secomp_log_config",
+ "display_path": "o365_secomp_log_config",
+ "conditions": [
+ "or",
+ [
+ "AdminAuditLogEnabled",
+ "ne",
+ "True"
+ ],
+ [
+ "UnifiedAuditLogIngestionEnabled",
+ "ne",
+ "True"
+ ]
+ ],
+ "id_suffix": "o365_exo_auditing_disabled"
+}
diff --git a/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-Teams-disabled.json b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-Teams-disabled.json
new file mode 100644
index 00000000..2dcf1870
--- /dev/null
+++ b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-Teams-disabled.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Security and Compliance",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure DLP policies are enabled for Microsoft Teams",
+ "description": "Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
+ "rationale": "Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.",
+ "impact": "Enabling a Teams DLP policy will allow sensitive data in Teams channels or chat messages to be detected or blocked.",
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.5"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 3.5"
+ ],
+ "path": "o365_secomp_dlp_compliance_info",
+ "display_path": "o365_secomp_dlp_compliance_info",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "eq",
+ "True"
+ ],
+ [
+ "and",
+ [
+ "or",
+ [
+ "Policy.TeamsLocation.Name",
+ "eq",
+ "All"
+ ]
+ ]
+ ]
+ ],
+ "id_suffix": "o365_exo_dlp_Teams_disabled",
+ "shouldExist": "true",
+ "returnObject": {
+ "Feature": "Enabled DLP Policies For Teams",
+ "Status": "DoesNotExists"
+ }
+}
diff --git a/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-disabled.json b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-disabled.json
new file mode 100644
index 00000000..0f46ceb2
--- /dev/null
+++ b/rules/findings/Microsoft 365/SecurityAndCompliance/exchange-dlp-policies-disabled.json
@@ -0,0 +1,38 @@
+{
+ "dashboard_name": "Security and Compliance",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure DLP policies are enabled",
+ "description": "Enabling Data Loss Prevention (DLP) policies allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
+ "rationale": null,
+ "impact": null,
+ "remediation": null,
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.4"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 3.4"
+ ],
+ "path": "o365_secomp_dlp_compliance_info",
+ "display_path": "o365_secomp_dlp_compliance_info",
+ "conditions": [
+ "and",
+ [
+ "isEnabled",
+ "eq",
+ "True"
+ ]
+ ],
+ "id_suffix": "o365_exo_dlp_disabled",
+ "shouldExist": "true",
+ "returnObject": {
+ "Feature": "Enabled DLP Policies",
+ "Status": "DoesNotExists"
+ }
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-data-classification-policy-disabled.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-data-classification-policy-disabled.json
new file mode 100644
index 00000000..27e605fb
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-data-classification-policy-disabled.json
@@ -0,0 +1,52 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure SharePoint Online Information Protection policies are set up and used",
+ "description": "Consider to set up and use SharePoint Online data classification policies on data stored in your SharePoint Online sites.",
+ "rationale": "The policies will help categorize your most important data so you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.",
+ "impact": "Creation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.",
+ "remediation": "
+ ###### To set up data classification policies, use the Microsoft 365 Admin Center:
+ 1. Under `Admin centers` select `Compliance` to open the `Microsoft 365 compliance center`.
+ 2. Under `Solutions` click `Information protection`
+ 3. Select `Labels` tab
+ 4. Click `Create a label` to create a label.
+ 5. Select the label and click on the `Publish` label
+ 6. Fill out the forms to create the policy
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/compliance/create-apply-retention-labels?view=o365-worldwide",
+ "https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.2"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 3.2"
+ ],
+ "path": "o365_exo_label_policy",
+ "display_path": "o365_exo_label_policy",
+ "conditions": [
+ "or",
+ [
+ "Name",
+ "ne",
+ "Global sensitivity label policy"
+ ],
+ [
+ "Enabled",
+ "eq",
+ "false"
+ ]
+ ],
+ "shouldExist": "true",
+ "returnObject": {
+ "operationName": "Sensitivity Label Policy",
+ "Status": "DoesNotExists"
+ },
+ "id_suffix": "sps_data_classification_policy_disabled"
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-document-sharing-enable-all.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-document-sharing-enable-all.json
new file mode 100644
index 00000000..06c16cf9
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-document-sharing-enable-all.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure document sharing is being controlled by domains with whitelist or blacklist",
+ "description": "Consider to control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.",
+ "rationale": "Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area.",
+ "impact": "Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed.",
+ "remediation": '
+ ###### To configure document sharing restrictions, use the Microsoft 365 Admin Center
+ 1. Log in as an SharePoint Administrator
+ 2. Navigate to Microsoft 365 administration portal, Click on Admin Centers and then SharePoint.
+ 3. Expand `Policies` then click `Sharing`.
+ 4. Expand `More external sharing settings` and check `Limit external sharing by domain`..
+ 5. Select `Add domains` to add a list of approved domains.
+ 6. Click `Save` at the bottom of the page.
+
+ ###### To configure document sharing restrictions, you can also use SharePoint Online PowerShell
+ 1. Connect to SharePoint Online using Connect-SPOService
+ 2. Run the following PowerShell command:
+ ```
+ Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList "domain1.com domain2.com"
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+ "https://docs.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-limit-sharing?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "6.1"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 6.1"
+ ],
+ "path": "o365_spo_tenant_details",
+ "display_path": "o365_spo_tenant_details",
+ "conditions": [
+ "and",
+ [
+ "SharingDomainRestrictionMode",
+ "eq",
+ "0"
+ ]
+ ],
+ "id_suffix": "sps_document_sharing_all_enabled"
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-external-user-sharing-disabled.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-external-user-sharing-disabled.json
new file mode 100644
index 00000000..c85c093c
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-external-user-sharing-disabled.json
@@ -0,0 +1,45 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure that external users cannot share files, folders, and sites they do not own",
+ "description": "SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party.",
+ "rationale": "Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.",
+ "impact": "Impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.",
+ "remediation": "
+ ###### To set SharePoint sharing settings, use the Microsoft 365 Admin Center
+ 1. Under `Admin centers` select `SharePoint`.
+ 2. Expand `Policies` then select `Sharing`.
+ 3. Expand `More external sharing settings`, uncheck `Allow guests to share items they don't own`.
+ 4. Click `Save`
+
+ ###### To Set Prevent external users from sharing files, folders, and sites that they don’t own, use the SharePoint Online PowerShell Module:
+ 1. Connect to SharePoint Online service using `Connect-SPOService`.
+ 2. Run the following SharePoint Online PowerShell command:
+ ```Powershell
+ Set-SPOTenant -PreventExternalUsersFromResharing $True
+ ```
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview",
+ "https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "3.6"
+ }
+ ],
+ "tags": null,
+ "path": "o365_spo_tenant_details",
+ "display_path": "o365_spo_tenant_details",
+ "conditions": [
+ "and",
+ [
+ "PreventExternalUsersFromResharing",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_spo_external_users_sharing_disabled"
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-infected-files-download-disabled.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-infected-files-download-disabled.json
new file mode 100644
index 00000000..b5111c69
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-infected-files-download-disabled.json
@@ -0,0 +1,43 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure Office 365 SharePoint infected files are disallowed for download",
+ "description": "Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization\u0027s security team.",
+ "rationale": "Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.", "impact": null,
+ "impact":"The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.",
+ "remediation": '
+ ###### To set O365 SharePoint to disallow download of infected files, use Powershell:
+ 1. Connect using `Connect-SPOService`, you will need to enter the URL for your Sharepoint Online admin page https://*-admin.sharepoint.com as well as a Global Admin account.
+ 2. Run the following Powershell command to set the value to True
+ ```Powershell
+ Set-SPOTenant –DisallowInfectedFileDownload $true
+ ```
+ 3. After several minutes run the following to verify the value for `DisallowInfectedFileDownload` has been set to True.
+ ```Powershell
+ Get-SPOTenant | Select-Object DisallowInfectedFileDownload
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams",
+ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.5"
+ }
+ ],
+ "tags": null,
+ "path": "o365_spo_tenant_admin_details",
+ "display_path": "o365_spo_tenant_admin_details",
+ "conditions": [
+ "and",
+ [
+ "DisallowInfectedFileDownload",
+ "eq",
+ "false"
+ ]
+ ],
+ "id_suffix": "o365_spo_infected_files_allowed_download"
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-modern-authentication-disabled.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-modern-authentication-disabled.json
new file mode 100644
index 00000000..7338f662
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-online-modern-authentication-disabled.json
@@ -0,0 +1,48 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure modern authentication for SharePoint applications is required",
+ "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third party SAML identity provider.",
+ "rationale": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.",
+ "impact": "Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior.",
+ "remediation": "
+ ###### To set SharePoint settings, use the Microsoft 365 Admin Center
+ 1. Under `Admin centers` select `SharePoint`.
+ 2. Expand `Policies` then select `Access Control`.
+ 3. Select `Apps that don't use modern authentication`.
+ 4. Select the radio button for `Block`.
+ 5. Click `Save`
+
+ ###### To set Apps that don't use modern authentication is set to Block, use the SharePoint Online PowerShell Module:
+ 1. Connect to SharePoint Online using `Connect-SPOService` -Url https://tenant-admin.sharepoint.com replacing `tenant` with your value.
+ 2. Run the following Sharepoint Online PowerShell command:
+ ```Powershell
+ Set-SPOTenant -LegacyAuthProtocolsEnabled $false
+ ```
+ ",
+ "references": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication",
+ "https://stealthbits.com/blog/how-to-harden-you-sharepoint-online-environment-by-disabling-legacy-authentication/"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "1.4"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 1.4"
+ ],
+ "path": "o365_spo_tenant_admin_details",
+ "display_path": "o365_spo_tenant_admin_details",
+ "conditions": [
+ "and",
+ [
+ "LegacyAuthProtocolsEnabled",
+ "eq",
+ "true"
+ ]
+ ],
+ "id_suffix": "o365_spo_modern_auth_disabled"
+}
diff --git a/rules/findings/Microsoft 365/SharepointOnline/sharepoint-sharing-links-missing-expiration.json b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-sharing-links-missing-expiration.json
new file mode 100644
index 00000000..392b6be1
--- /dev/null
+++ b/rules/findings/Microsoft 365/SharepointOnline/sharepoint-sharing-links-missing-expiration.json
@@ -0,0 +1,49 @@
+{
+ "dashboard_name": "Sharepoint Online",
+ "menu_name": "Microsoft 365",
+ "issue_name": "Ensure expiration time for external sharing links is set",
+ "description": "Consider to restrict the length of time that anonymous access links are valid.",
+ "rationale": "An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. Restricting how long the links are valid can reduce the window of opportunity for attackers.",
+ "impact": "Enabling this feature will ensure that link expire within the defined number of days. This will have an affect on links that were previously not set with an expiration.",
+ "remediation": '
+ ###### To set expiration for anonymous access links, use the Microsoft 365 Admin Center
+ 1. Log in as an SharePoint Administrator
+ 2. Navigate to Microsoft 365 administration portal, Click on Admin Centers and then SharePoint.
+ 3. Expand `Policies` then click `Sharing`.
+ 4. Check `These links must expire within this many days`.
+ 5. Set to the desired number of days, such as `30`.
+ 6. Click `OK`.
+
+ ###### To set expiration for anonymous access links, you can also use SharePoint Online PowerShell
+ 1. Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com and replacing `tenant` with your value.
+ 2. Run the following PowerShell command:
+ ```powershell
+ set-SPOTenant -RequireAnonymousLinksExpireInDays 30
+ ```
+ ',
+ "references": [
+ "https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+ "https://docs.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-limit-sharing?view=o365-worldwide"
+ ],
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.3.0",
+ "reference": "6.3"
+ }
+ ],
+ "tags": [
+ "Microsoft 365 CIS benchmark 6.3"
+ ],
+ "path": "o365_spo_tenant_details",
+ "display_path": "o365_spo_tenant_details",
+ "conditions": [
+ "and",
+ [
+ "RequireAnonymousLinksExpireInDays",
+ "eq",
+ "-1"
+ ]
+ ],
+ "id_suffix": "sps_sharing_links_missing_expiration"
+}
diff --git a/rules/rulesets/cis_azure_1.4.json b/rules/rulesets/cis_azure_1.4.json
new file mode 100644
index 00000000..32ea51bf
--- /dev/null
+++ b/rules/rulesets/cis_azure_1.4.json
@@ -0,0 +1,1716 @@
+{
+ "about": "This ruleset contains a collection of rules for Azure based on CIS benchmark. The rules are used as a mechanism to evaluate the configuration of Azure resources and to determine whether controls within a standard are being adhered to. Rules are also divided into categories and subcategories according to the rule's type. This will ensures that Azure cloud will meet the industry standards.",
+ "rules": {
+ "aad-iam-privileged-users-disabled-mfa.json": [
+ {
+ "args": [
+ "conditions/aad-privileged-roles.json"
+ ],
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.1"
+ }
+ ]
+ }
+ ],
+ "aad-iam-users-disabled-mfa.json": [
+ {
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.2"
+ }
+ ]
+ }
+ ],
+ "aad-guest-users-present.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.3"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-sspr-reset-methods.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.5"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-sspr-mfa-reconfirm-days.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.6"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-sspr-notify-users-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.7"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-sspr-notify-admin-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.8"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-consent-apps-data-access.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.9"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-add-gallery-apps.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.10"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-register-apps-enabled.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.11"
+ }
+ ]
+ }
+ ],
+ "aad-guest-can-invite.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.13"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-restrict-users-ad-portal.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.14"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-access-group-features.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.15"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-create-security-groups.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.16"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-owners-can-manage-group-membership-enabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.17"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-create-o365-groups.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.18"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-devices-require-mfa-settings.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.19"
+ }
+ ]
+ }
+ ],
+ "azure-subscription-custom-role-excessive-permissions.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.20"
+ }
+ ]
+ }
+ ],
+ "aad-security-defaults-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.21"
+ }
+ ]
+ }
+ ],
+ "azure-subscription-missing-custom-lock-role.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "1.22"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-vm-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.1"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-appservice-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.2"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-sql-server-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.3"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-sql-server-on-machines-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.4"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-storageaccount-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.5"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-kubernetes-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.6"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-container-registries-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.7"
+ }
+ ]
+ }
+ ],
+ "azure-defender-missing-keyvault-protection.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.8"
+ }
+ ]
+ }
+ ],
+ "windows-defender-missing-security-center-integration.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.9"
+ }
+ ]
+ }
+ ],
+ "cloud-app-security-missing-security-center-integration.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.10"
+ }
+ ]
+ }
+ ],
+ "azure-automatic-vm-agent-provisioning-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.11"
+ }
+ ]
+ }
+ ],
+ "azure-asc-monitor-adaptive-application-disabled-alert.json": [
+ {
+ "args": [
+ "adaptiveApplicationControlsMonitoringEffect",
+ "Adaptive Application Safelisting Monitoring"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "webApplicationFirewallMonitoringEffect",
+ "Web Application Firewall recommendations"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "diskEncryptionMonitoringEffect",
+ "Disk encryption recommendations for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "jitNetworkAccessMonitoringEffect",
+ "JIT Network Access for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "endpointProtectionMonitoringEffect",
+ "Endpoint protection recommendations for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "nextGenerationFirewallMonitoringEffect",
+ "Next generation firewall recommendations for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "networkSecurityGroupsMonitoringEffect",
+ "Network security group recommendations for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "systemConfigurationsMonitoringEffect",
+ "OS vulnerability recommendations for virtual machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "sqlAuditingMonitoringEffect",
+ "SQL auditing recommendations"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "sqlEncryptionMonitoringEffect",
+ "SQL encryption recommendations"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "storageEncryptionMonitoringEffect",
+ "Storage encryption recommendations"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "systemUpdatesMonitoringEffect",
+ "System Updates for Virtual Machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "vulnerabilityAssesmentMonitoringEffect",
+ "Vulnerability assessments for Virtual Machines"
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-security-contact-mail-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.13"
+ }
+ ]
+ }
+ ],
+ "azure-security-contact-send-email-high-alerts-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.14"
+ }
+ ]
+ }
+ ],
+ "azure-security-contact-send-email-to-owners-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "2.15"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-https-traffic-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.1"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-key-rotation-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.2"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-queue-logging-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.3"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-public-access-level.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.5"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-access-all-networks.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.6"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-trusted-ms-services-bypass.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.7"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-blob-data-protection-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.8"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-lack-cmk.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.9"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-blob-logging-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.10"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-table-logging-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.11"
+ }
+ ]
+ }
+ ],
+ "azure-storage-accounts-minimum-tls-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "3.12"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-auditing-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.1"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-data-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.2"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-auditing-retention.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.1.3"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-advanced-threat-protection-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.1"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-vulnerability-assessments-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.2"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-vulnerability-periodic-assessments-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.3"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-vulnerability-assessments-send-reports-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.4"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-vulnerability-assessments-reportsto-admins-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.2.5"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-enforcessl-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.1"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-checkpoints-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.2"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-connections-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.3"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-disconnections-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.4"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-connection-throttling-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.5"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-log-retention-days.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.6"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-allow-access-azure-services-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.7"
+ }
+ ]
+ }
+ ],
+ "azure-postgresql-infrastructure-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.3.8"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-enforcessl-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.4.1"
+ }
+ ]
+ }
+ ],
+ "azure-mysql-latest-tls-version-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.4.2"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-active-directory-admin-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.5"
+ }
+ ]
+ }
+ ],
+ "azure-sql-server-tdp-own-key-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "4.6"
+ }
+ ]
+ }
+ ],
+ "azure-diagnostic-settings-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.1"
+ }
+ ]
+ }
+ ],
+ "azure-diagnostic-settings-missing-categories.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.2"
+ }
+ ]
+ }
+ ],
+ "azure-log-profile-container-public-access.json": [
+ {
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.3"
+ }
+ ]
+ }
+ ],
+ "azure-log-profile-storage-account-byok-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.4"
+ }
+ ]
+ }
+ ],
+ "azure-keyvault-logging-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "5.1.5"
+ }
+ ]
+ }
+ ],
+ "azure-activity-log-disabled-alerts.json": [
+ {
+ "args": [
+ "Create Policy Assignment",
+ "Microsoft.Authorization/policyAssignments/write",
+ "True",
+ "5.2.1",
+ 'Monitoring for create policy assignment events gives insight into changes done in "azure policy - assignments" and may reduce the time it takes to detect unsolicited changes.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Policy Assignment",
+ "Microsoft.Authorization/policyAssignments/delete",
+ "True",
+ "5.2.2",
+ 'Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and may reduce the time it takes to detect unsolicited changes.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Network Security Group",
+ "Microsoft.Network/networkSecurityGroups/write",
+ "True",
+ "5.2.3",
+ 'Monitoring for "Create" or "Update Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Network Security Group",
+ "Microsoft.Network/networkSecurityGroups/delete",
+ "True",
+ "5.2.4",
+ 'Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Network Security Group Rule",
+ "Microsoft.Network/networkSecurityGroups/securityRules/write",
+ "True",
+ "5.2.5",
+ 'Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Network Security Group Rule",
+ "Microsoft.Network/networkSecurityGroups/securityRules/delete",
+ "True",
+ "5.2.6",
+ 'Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Security Solution",
+ "Microsoft.Security/securitySolutions/write",
+ "True",
+ "5.2.7",
+ 'Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Security Solution",
+ "Microsoft.Security/securitySolutions/delete",
+ "True",
+ "5.2.8",
+ 'Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update or Delete SQL Server Firewall Rule",
+ "Microsoft.Sql/servers/firewallRules/write",
+ "True",
+ "5.2.9",
+ 'Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.'
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-activity-log-missing-alerts.json": [
+ {
+ "args": [
+ "Create Policy Assignment",
+ "Microsoft.Authorization/policyAssignments/write",
+ "",
+ "5.2.1",
+ "Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Network Security Group",
+ "Microsoft.Network/networkSecurityGroups/write",
+ "",
+ "5.2.2",
+ "Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Network Security Group Rule",
+ "Microsoft.Network/networkSecurityGroups/securityRules/write",
+ "",
+ "5.2.4",
+ "Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Network Security Group Rule",
+ "Microsoft.Network/networkSecurityGroups/securityRules/delete",
+ "",
+ "5.2.5",
+ "Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Network Security Group",
+ "Microsoft.Network/networkSecurityGroups/delete",
+ "",
+ "5.2.3",
+ "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update Security Solution",
+ "Microsoft.Security/securitySolutions/write",
+ "",
+ "5.2.6",
+ "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Delete Security Solution",
+ "Microsoft.Security/securitySolutions/delete",
+ "",
+ "5.2.7",
+ "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Create or Update or Delete SQL Server Firewall Rule",
+ "Microsoft.Sql/servers/firewallRules/write",
+ "",
+ "5.2.8",
+ "Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "Update Security Policy",
+ "Microsoft.Security/policies/write",
+ "",
+ "5.2.9",
+ "Monitoring for Update Security Policy events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-nsg-port-open.json": [
+ {
+ "args": [
+ "ALL",
+ "*",
+ "all ports open to all"
+ ],
+ "enabled": true,
+ "level": "high"
+ },
+ {
+ "args": [
+ "ALL",
+ "0-65535",
+ "all ports open to all"
+ ],
+ "enabled": true,
+ "level": "high"
+ }
+ ],
+ "azure-nsg-tcp-ports-open.json": [
+ {
+ "args": [
+ "RDP",
+ "3389",
+ "Disable RDP access on network security groups from the Internet.",
+ "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure",
+ "6.1",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "FTP",
+ "21",
+ "Disable FTP access on network security groups from the Internet.",
+ "The potential security problem with using FTP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
+ "",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "SSH",
+ "22",
+ "Disable SSH access on network security groups from the Internet.",
+ "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
+ "6.2",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "TELNET",
+ "23",
+ "Disable Telnet access on network security groups from the Internet.",
+ "The potential security problem with using TELNET over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
+ "",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "SQL",
+ "1433",
+ "Disable SQL access on network security groups from the Internet.",
+ "The potential security problem with using SQL over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure",
+ "",
+ "monkey365 rule"
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-sql-fw-allow-all.json": [
+ {
+ "args": [
+ "SQL",
+ "0.0.0.0",
+ "255.255.255.255",
+ "A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet",
+ "6.3"
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "SQL",
+ "0.0.0.0",
+ "0.0.0.0",
+ "By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services",
+ "6.3"
+
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-network-watcher-flow-log-retention.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "6.4"
+ }
+ ]
+ }
+ ],
+ "azure-network-watcher-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "6.5"
+ }
+ ]
+ }
+ ],
+ "azure-nsg-udp-ports-open.json": [
+ {
+ "args": [
+ "DNS",
+ "53",
+ "Disable DNS access on network security groups from the Internet.",
+ "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
+ "6.6",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "NTP",
+ "123",
+ "Disable NTP access on network security groups from the Internet.",
+ "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
+ "6.6",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "SNMP",
+ "161",
+ "Disable SNMP access on network security groups from the Internet.",
+ "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
+ "6.6",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "LDAP",
+ "389",
+ "Disable LDAP access on network security groups from the Internet.",
+ "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
+ "6.6",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ },
+ {
+ "args": [
+ "UPnP/SSDP",
+ "1900",
+ "Disable UPnP/SSDP access on network security groups from the Internet.",
+ "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
+ "6.6",
+ ""
+ ],
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-os-managed-disk-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.1"
+ }
+ ]
+ }
+ ],
+ "azure-vm-os-data-sse-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.2"
+ }
+ ]
+ }
+ ],
+ "azure-unattached-disk-sse-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.3"
+ }
+ ]
+ }
+ ],
+ "azure-vm-approved-extensions.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.4"
+ }
+ ]
+ }
+ ],
+ "azure-vm-missing-critical-updates.json": [
+ {
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.5"
+ }
+ ]
+ }
+ ],
+ "azure-vm-missing-moderate-updates.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.5"
+ }
+ ]
+ }
+ ],
+ "azure-vm-antimalware-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.6"
+ }
+ ]
+ }
+ ],
+ "azure-os-disk-encryption-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "7.7"
+ }
+ ]
+ }
+ ],
+ "azure-keyvault-keys-expiration-set.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.1"
+ }
+ ]
+ }
+ ],
+ "azure-keyvault-secrets-expiration-set.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.3"
+ }
+ ]
+ }
+ ],
+ "azure-subscription-missing-lock.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.5"
+ }
+ ]
+ }
+ ],
+ "azure-keyvault-recoverable.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "8.6"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-auth-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.1"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-https-only-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.2"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-latest-tls-version-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.3"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-client-certificate-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.4"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-ad-managed-identity-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.5"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-latest-php-version-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.6"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-latest-python-version-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.7"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-latest-java-version-missing.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.8"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-latest-http-version-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.9"
+ }
+ ]
+ }
+ ],
+ "azure-app-services-ftp-deployment-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft Azure Foundations",
+ "version": "1.4.0",
+ "reference": "9.10"
+ }
+ ]
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/rules/rulesets/cis_m365_1.4.json b/rules/rulesets/cis_m365_1.4.json
new file mode 100644
index 00000000..a4fec2cf
--- /dev/null
+++ b/rules/rulesets/cis_m365_1.4.json
@@ -0,0 +1,431 @@
+{
+ "about": "This ruleset contains a collection of rules for Microsoft 365 based on CIS benchmark. These rules perform static analysis on Microsoft 365 artifacts within Exchange Online, SharePoint Online, Microsoft Teams or OneDrive, among others, and are used as a mechanism to evaluate the configuration of these Microsoft 365 workloads. Rules are also divided into categories and subcategories according to the rule's type. These rules are designed to determine whether controls within a standard are being adhered to. This will ensures that Microsoft 365 tenant will meet the industry standards.",
+ "rules": {
+ "aad-iam-privileged-users-disabled-mfa.json": [
+ {
+ "args": [
+ "conditions/aad-m365-privileged-roles.json"
+ ],
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.1"
+ }
+ ]
+ }
+ ],
+ "aad-iam-users-disabled-mfa.json": [
+ {
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.2"
+ }
+ ]
+ }
+ ],
+ "aad-iam-excessive-global-admins.json": [
+ {
+ "enabled": true,
+ "level": "high",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.3"
+ }
+ ]
+ }
+ ],
+ "aad-iam-only-one-global-admin.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.3"
+ }
+ ]
+ }
+ ],
+ "aad-sspr-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.4"
+ }
+ ]
+ }
+ ],
+ "aad-password-protection-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.5"
+ }
+ ]
+ }
+ ],
+ "aad-sign-in-policy-all_users_disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ]
+ }
+ ],
+ "aad-sign-in-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.8"
+ }
+ ]
+ }
+ ],
+ "aad-user-risk-policy-all_users_disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.9"
+ }
+ ]
+ }
+ ],
+ "aad-user-risk-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.9"
+ }
+ ]
+ }
+ ],
+ "aad-security-defaults-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.11"
+ }
+ ]
+ }
+ ],
+ "aad-restrict-collaboration-specific-domains-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.13"
+ }
+ ]
+ }
+ ],
+ "aad-linkedin-sync-enabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.14"
+ }
+ ]
+ }
+ ],
+ "aad-stay_signed_policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.1.13"
+ }
+ ]
+ }
+ ],
+ "exchange-modern-authentication-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.2"
+ }
+ ]
+ }
+ ],
+ "sharepoint-online-modern-authentication-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.4"
+ }
+ ]
+ }
+ ],
+ "aad-password-expiring-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "1.5"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-users-can-register-apps-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.1"
+ }
+ ]
+ }
+ ],
+ "exchange-calendar-sharing-external-user-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.2"
+ }
+ ]
+ }
+ ],
+ "exchange-atp-safe-links-office-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "sharepoint-online-infected-files-download-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "azure-activedirectory-users-can-consent-apps-data-access.json": [
+ {
+ "enabled": true,
+ "level": "low",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.6"
+ }
+ ]
+ }
+ ],
+ "azure-activedirectory-apps-required-admin-consent.json": [
+ {
+ "enabled": true,
+ "level": "info",
+ "compliance": [
+ {
+ "name": "CIS Microsoft 365 Foundations",
+ "version": "1.4.0",
+ "reference": "2.7"
+ }
+ ]
+ }
+ ],
+ "forms-internal-phishing-protection-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-customer-lockout-feature-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "sharepoint-data-classification-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "teams-external-domain-allowed.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-dlp-policies-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-dlp-policies-Teams-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "sharepoint-external-user-sharing-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "teams-external-file-sharing-approved-storage.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-common-attachment-type-filter-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-outbound-spam-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-mail-transport-rules-forward-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-automatic-forward-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-transport-rules-domain-whitelisted.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-atp-default-safe-links-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-atp-safe-attachments-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-anti-phishing-policy-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-anti-malware-admin-notification-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-mailtips-disabled.json": [
+ {
+ "enabled": true,
+ "level": "low"
+ }
+ ],
+ "exchange-audit-log-search-disabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "sharepoint-document-sharing-enable-all.json": [
+ {
+ "enabled": true,
+ "level": "high"
+ }
+ ],
+ "onedrive-sync-from-unmanaged-domains-enabled.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "sharepoint-sharing-links-missing-expiration.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ],
+ "exchange-owa-external-storage-allowed.json": [
+ {
+ "enabled": true,
+ "level": "medium"
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/tests/Get-MonkeyTest.ps1 b/tests/Get-MonkeyTest.ps1
new file mode 100644
index 00000000..8cfbcdb2
--- /dev/null
+++ b/tests/Get-MonkeyTest.ps1
@@ -0,0 +1,53 @@
+# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
+param()
+Function Get-MonkeyTest{
+ <#
+ .SYNOPSIS
+ PSScriptAnalyzer - ignore test file
+
+ .DESCRIPTION
+ PSScriptAnalyzer - ignore test file
+
+ .INPUTS
+
+ .OUTPUTS
+
+ .EXAMPLE
+
+ .NOTES
+ Author : Juan Garrido
+ Twitter : @tr1ana
+ File Name : Get-MonkeyTest
+ Version : 1.0
+
+ .LINK
+ https://github.com/silverhack/monkey365
+ #>
+
+ [CmdletBinding()]
+ Param()
+ Begin{
+ Write-Host "Begin!"
+ }
+ Process{
+ Write-Host "Process!"
+ }
+ End{
+ Write-Host "End!"
+ }
+}
diff --git a/tests/MonkeyAST.Tests.ps1 b/tests/MonkeyAST.Tests.ps1
new file mode 100644
index 00000000..dc630f1d
--- /dev/null
+++ b/tests/MonkeyAST.Tests.ps1
@@ -0,0 +1,37 @@
+# PSScriptAnalyzer - ignore test file
+Import-Module Pester
+Set-StrictMode -Version Latest
+
+Describe 'AST' {
+ BeforeAll {
+ $Module = Get-ChildItem ("{0}/core/modules/monkeyast" -f (Split-Path $PSScriptRoot -Parent)) -Filter '*.psm1'
+ $MyModule = $Module.DirectoryName
+ Import-Module $MyModule -Force
+ }
+ It 'Get Function Name' {
+ $obj = Get-ChildItem ("{0}/tests/Get-MonkeyTest.ps1" -f (Split-Path $PSScriptRoot -Parent))
+ $my_ast = Get-AstFunction -objects $obj -recursive
+ $my_ast.Name | Should -Be 'Get-MonkeyTest'
+ }
+ It 'Get Command Metadata' {
+ InModuleScope monkeyast {
+ $my_cmd = Get-CommandMetadata -CommandInfo (Get-Command Get-ChildItem)
+ $my_cmd.Name | Should -Be 'Get-ChildItem'
+ }
+ }
+ It 'Get Command from ScriptBlock' {
+ InModuleScope monkeyast {
+ $a = [scriptblock]::Create('Get-ChildItem C:\temp')
+ $my_cmd = Get-CommandToExecute -ScriptBlock $a
+ $my_cmd[0].Extent.Text | Should -Be 'Get-ChildItem'
+ }
+ }
+
+ It 'Get Type' {
+ InModuleScope monkeyast {
+ $cmd = Get-Command Get-ChildItem
+ $my_cmd = Get-NewScriptBlock -CommandInfo $cmd
+ $my_cmd.Ast | Should -BeOfType [System.Management.Automation.Language.Ast]
+ }
+ }
+}
\ No newline at end of file
diff --git a/tests/MonkeyWebRequests.Tests.ps1 b/tests/MonkeyWebRequests.Tests.ps1
new file mode 100644
index 00000000..57037c53
--- /dev/null
+++ b/tests/MonkeyWebRequests.Tests.ps1
@@ -0,0 +1,30 @@
+# PSScriptAnalyzer - ignore test file
+Import-Module Pester
+Set-StrictMode -Version Latest
+
+Describe 'Google' {
+ BeforeAll {
+ $Module = Get-ChildItem ("{0}/core/modules/monkeywebrequest" -f (Split-Path $PSScriptRoot -Parent)) -Filter '*.psm1'
+ $MyModule = $Module.DirectoryName
+ Import-Module $MyModule -Force
+ }
+ It 'Serves pages over http' {
+ InModuleScope monkeywebrequest {
+ $retData = Invoke-UrlRequest -url 'http://google.com/' -AllowAutoRedirect -returnRawResponse
+ $StatusCode = $retData | Select-Object -ExpandProperty StatusCode
+ $retData.Close()
+ $retData.Dispose()
+ $StatusCode | Should -Be 'OK'
+ }
+ }
+
+ It 'Serves pages over https' {
+ InModuleScope monkeywebrequest {
+ $retData = Invoke-UrlRequest -url "https://google.co.uk/" -AllowAutoRedirect -returnRawResponse
+ $StatusCode = $retData | Select-Object -ExpandProperty StatusCode
+ $retData.Close()
+ $retData.Dispose()
+ $StatusCode | Should -Be 'OK'
+ }
+ }
+}
\ No newline at end of file
diff --git a/tests/MonkeyWebRequestsAPI.Tests.ps1 b/tests/MonkeyWebRequestsAPI.Tests.ps1
new file mode 100644
index 00000000..ce94811a
--- /dev/null
+++ b/tests/MonkeyWebRequestsAPI.Tests.ps1
@@ -0,0 +1,19 @@
+# PSScriptAnalyzer - ignore test file
+Import-Module Pester
+Set-StrictMode -Version Latest
+
+Describe 'Star Wars' {
+ BeforeAll {
+ $Module = Get-ChildItem ("{0}/core/modules/monkeywebrequest" -f (Split-Path $PSScriptRoot -Parent)) -Filter '*.psm1'
+ $MyModule = $Module.DirectoryName
+ Import-Module $MyModule -Force
+ }
+ It 'Get Han Solo height' {
+ Invoke-UrlRequest -url "https://swapi.dev/api/people/14" | Select-Object -ExpandProperty height | Should -Be '180'
+ }
+
+ It 'Han Solo is Id = 14' {
+ $Han = Invoke-UrlRequest -url "https://swapi.dev/api/people/14"
+ $Han.name | Should -Be 'Han Solo'
+ }
+}
\ No newline at end of file