last sync: 2023-Mar-21 18:43:23 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Details (UTC ymd) (i)
Machine Learning 45e05259-1eb5-4f70-9574-baf73e9d219b Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default
Audit
Allowed
Audit, Disabled
add
2023-03-17 18:44:06
45e05259-1eb5-4f70-9574-baf73e9d219b
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-03-17 18:44:06
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
2023-03-17 18:44:06
Patch (2.0.0 > 2.0.1)
Container Instances 21c469fa-a887-4363-88a9-60bfd6911a15 Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Default
Append
Allowed
Append, Disabled
add
2023-03-17 18:44:06
21c469fa-a887-4363-88a9-60bfd6911a15
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-03-17 18:44:06
Minor (3.0.0 > 3.1.0)
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
change
2023-03-17 18:44:06
Patch (1.0.1 > 1.0.2)
SignalR 62a3ae95-8169-403e-a2d2-b82141448092 Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 001
SignalR/Web PubSub Contributor
change
2023-03-17 18:44:06
Minor (1.0.0 > 1.1.0)
SignalR 21a9766a-82a5-4747-abb5-650b6dbba6d0 Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-03-17 18:44:06
Minor (1.0.0 > 1.1.0)
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day Windows machines should schedule Windows Defender to perform a scheduled scan every day to ensure that malware is quickly identified to minimize the effect this may have to the environment. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-03-17 18:44:06
Minor (1.0.0 > 1.1.0)
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
2023-03-17 18:44:06
Patch (4.0.1 > 4.0.2)
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana dashboards with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
2023-03-10 18:58:56
bc33de80-97cd-4c11-b6b4-d075e03c7d60
Backup 04726aae-4e8d-427c-af7d-ecf56d490022 [Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
2023-03-10 18:58:56
04726aae-4e8d-427c-af7d-ecf56d490022
Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-03-10 18:58:56
2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352
Managed Grafana 4c8537f8-cd1b-49ec-b704-18e82a42fd58 Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
2023-03-10 18:58:56
4c8537f8-cd1b-49ec-b704-18e82a42fd58
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-03-03 18:43:58
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Update Management Center ba0df93e-e4ac-479a-aac2-134bbae39a1a [Preview]: Schedule recurring updates using Update Management Center You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2023-03-03 18:43:58
Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview)
Kubernetes a8e653d9-b5d4-48a0-afe6-14d881f9ee9a Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Owner
add
2023-03-03 18:43:58
a8e653d9-b5d4-48a0-afe6-14d881f9ee9a
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-03-03 18:43:58
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
User Access Administrator
change
2023-03-03 18:43:58
Minor (3.2.0 > 3.3.0)
Managed Grafana e8775d5a-73b7-4977-a39b-833ef0114628 Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-27 19:03:54
e8775d5a-73b7-4977-a39b-833ef0114628
Azure Data Explorer 43bc7be6-5e69-4b0d-a2bb-e815557ca673 Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-27 19:03:54
43bc7be6-5e69-4b0d-a2bb-e815557ca673
Azure Data Explorer f7735886-8927-431f-b201-c953922512b8 Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Default
Audit
Allowed
Audit, Disabled
add
2023-02-27 19:03:54
f7735886-8927-431f-b201-c953922512b8
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2023-02-27 19:03:54
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)
Azure Data Explorer 7b32f193-cb28-4e15-9a98-b9556db0bafa Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Default
Modify
Allowed
Modify, Disabled
count: 001
SQL Server Contributor
add
2023-02-27 19:03:54
7b32f193-cb28-4e15-9a98-b9556db0bafa
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
add
2023-02-27 19:03:54
3a97e513-f75e-4230-8137-1efad4eadbbc
Azure Data Explorer 1fec9658-933f-4b3e-bc95-913ed22d012b Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-27 19:03:54
1fec9658-933f-4b3e-bc95-913ed22d012b
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2023-02-27 19:03:54
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)
Azure Data Explorer a47272e1-1d5d-4b0b-b366-4873f1432fe0 Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Network Contributor
SQL Server Contributor
add
2023-02-27 19:03:54
a47272e1-1d5d-4b0b-b366-4873f1432fe0
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Reader
Virtual Machine Contributor
change
2023-02-27 19:03:54
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2023-02-27 19:03:54
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview)
Automanage fb97d6e1-5c98-4743-a439-23e0977bad9e [Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Default
Audit
Allowed
Audit, Disabled
add
2023-02-27 19:03:54
fb97d6e1-5c98-4743-a439-23e0977bad9e
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-27 19:03:54
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2023-02-27 19:03:54
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview)
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Kubernetes Extension Contributor
change
2023-02-27 19:03:54
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0)
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-27 19:03:54
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0)
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-27 19:03:54
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)
Desktop Virtualization 87ac3038-c07a-4b92-860d-29e270a4f3cd Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-16 18:41:08
87ac3038-c07a-4b92-860d-29e270a4f3cd
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-16 18:41:08
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated)
Desktop Virtualization ce6ebf1d-0b94-4df9-9257-d8cacc238b4f Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Workspace Contributor
add
2023-02-16 18:41:08
ce6ebf1d-0b94-4df9-9257-d8cacc238b4f
Desktop Virtualization 34804460-d88b-4922-a7ca-537165e060ed Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
2023-02-16 18:41:08
34804460-d88b-4922-a7ca-537165e060ed
Desktop Virtualization a22065a3-3b04-46ff-b84c-2d30e5c300d0 Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-16 18:41:08
a22065a3-3b04-46ff-b84c-2d30e5c300d0
Automanage fd4726f4-a5fc-4540-912d-67c96fc992d5 [Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2023-02-16 18:41:08
fd4726f4-a5fc-4540-912d-67c96fc992d5
Desktop Virtualization e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
2023-02-16 18:41:08
e84e8a9a-f43e-46e3-9458-bbcfb2d7e429
Automanage e4953962-5ae4-43eb-bb92-d66fd5563487 [Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Default
Audit
Allowed
Audit, Disabled
add
2023-02-16 18:41:08
e4953962-5ae4-43eb-bb92-d66fd5563487
Desktop Virtualization 7b331e6b-6096-4395-a754-758a64505f19 Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
2023-02-16 18:41:08
7b331e6b-6096-4395-a754-758a64505f19
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Deprecated]: Private endpoint should be configured for Key Vault The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-02-16 18:41:08
Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated)
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
2023-02-16 18:41:08
Minor (3.0.1 > 3.1.0)
Desktop Virtualization 2a0913ff-51e7-47b8-97bb-ea17127f7c8d Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
2023-02-16 18:41:08
2a0913ff-51e7-47b8-97bb-ea17127f7c8d
Desktop Virtualization c25dcf31-878f-4eba-98eb-0818fdc6a334 Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-02-16 18:41:08
c25dcf31-878f-4eba-98eb-0818fdc6a334
Desktop Virtualization 02aa841c-42e8-492f-a43d-1f2c67e58d41 Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
2023-02-16 18:41:08
02aa841c-42e8-492f-a43d-1f2c67e58d41
Desktop Virtualization ca950cd7-02f7-422e-8c23-91ff40f169c1 Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Disabled
add
2023-02-16 18:41:08
ca950cd7-02f7-422e-8c23-91ff40f169c1
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
2023-02-16 18:41:08
Minor (3.0.1 > 3.1.0)
Desktop Virtualization 9427df23-0f42-4e1e-bf99-a6133d841c4a Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
2023-02-16 18:41:08
9427df23-0f42-4e1e-bf99-a6133d841c4a
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
bf6af3d2-fbd5-458f-8a40-2556cf539b45
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
792f8b74-dc05-44fd-b90d-340a097b80e6
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
2023-02-10 18:41:56
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
dfbfceaa-14b2-4a90-a679-d169fa6a6a38
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
4b05de63-3ad2-4f6d-b421-da21f1328f3b
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
4cabf9fc-4ed1-4990-bbaf-7248fb8751bc
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
03a087c0-b49f-4440-9ae5-013703eccc8c
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
69ab8bfc-dc5b-443d-93a7-7531551dec66
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
14e81583-c89c-47db-af0d-f9ddddcccd9f
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
b9b976cc-59ef-468a-807e-19afa2ebfd52
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-02-10 18:41:56
Patch (2.0.0 > 2.0.1)
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
d147ba9f-3e17-40b1-9c23-3bca478ba804
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f8352124-56fa-4f94-9441-425109cdc14b
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0e0c742d-5031-4e65-bf96-1bee7cf55740
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
b4a9c220-1d62-4163-a17b-30db7d5b7278
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
fc602c00-2ce3-4556-b615-fa4159517103
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
fc744b31-a930-4eb5-bc06-e81f98bf7214
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0277b2d5-6e6f-4d97-9929-a5c4eab56fd7
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
ae48c709-d2b4-4fad-8c5c-838524130aa4
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
9e6aee71-3781-4acd-bba7-aac4fb067dfa
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0da6faeb-d6c6-4f6e-9f49-06277493270b
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
3d034ef2-001c-46f6-a47b-e6e4a74ff89b
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
567c93f7-3661-494f-a30f-0a94d9bfebf8
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6b359d8f-f88d-4052-aa7c-32015963ecc1
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
d3e11828-02c8-40d2-a518-ad01508bb4d7
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
b797045a-b3cd-46e4-adc4-bbadb3381d78
SQL 146412e9-005c-472b-9e48-c87b72ac229e An Azure Active Directory administrator should be provisioned for MySQL servers Audit provisioning of an Azure Active Directory administrator for your MySQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2023-02-10 18:41:56
146412e9-005c-472b-9e48-c87b72ac229e
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
480851ae-9ff3-49d1-904c-b5bd6f83f1ec
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
818719e5-1338-4776-9a9d-3c31e4df5986
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
441af8bf-7c88-4efc-bd24-b7be28d4acce
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6567d3f3-42d0-4cfb-9606-9741ba60fa07
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
46b2dd5d-3936-4347-8908-b298ea4466d3
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6f3f5778-f809-4755-9d8f-bd5a5a7add85
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
e488a548-7afd-43a7-a903-2a6dd36e7504
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0628b917-d4b4-4af5-bc2b-b4f87cd173ab
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a853abad-dfa4-4bf5-aaa1-04cb10c02d23
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
2e8a8853-917a-4d26-9c3a-c92a7fa031e8
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 An Azure Active Directory administrator should be provisioned for PostgreSQL servers Audit provisioning of an Azure Active Directory administrator for your PostgreSQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2023-02-10 18:41:56
b4dec045-250a-48c2-b5cc-e0c4eec8b5b4
Update Management Center ba0df93e-e4ac-479a-aac2-134bbae39a1a [Preview]: Schedule recurring updates using Update Management Center You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2023-02-10 18:41:56
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
20f21bc7-b0b8-4d57-83df-5a8a0912b934
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
1513498c-3091-461a-b321-e9b433218d28
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
aec4c33f-2f2a-4fd3-91cd-24a939513c60
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
71153be3-4742-4aae-9aec-150f7589311b
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f5094957-e0f7-4af2-9e14-13d60141dc4a
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
614d9fbd-68cd-4832-96db-3362069661b2
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
1abe42e1-a726-4dee-94c2-79f364dac9b7
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
34c7546c-d637-4b5d-96ab-93fb6ed07af8
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
8d253bba-a338-4fd9-9752-6b6edadca1eb
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
8656d368-0643-4374-a63f-ae0ed4da1d9a
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
cac9e1c5-c3cb-47fa-8d4c-88b8559262d2
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
56288eb2-4350-461d-9ece-2bb242269dce
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
e9c56c41-d453-4a80-af93-2331afeb3d82
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
2023-02-10 18:41:56
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
eb5a4c26-04cb-4ab1-81cb-726dc58df772
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
9ba29e83-863d-4fec-81d0-16dd87067cc3
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0925a080-ab8d-44a1-a39c-61e184b4d8f9
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6b2899d8-5fdf-4ade-ba59-f1f82664877b
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
3496f6fd-57ba-485c-8a14-183c4493b781
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
856331d3-0169-4dd9-9b04-cbb2ad3d1cf2
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
3dd58519-427e-42a4-8ffc-e415a3c716f1
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
39741c6f-5e8b-4511-bba4-6662d0e0e2ac
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
76539a09-021e-4300-953b-4c6018ac26dc
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
e7c86682-34c1-488a-9aab-9cb279207992
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
55d1f543-d1b0-4811-9663-d6d0dbc6326d
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
9f4e810a-899e-4e5e-8174-abfcf15739a3
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
93a604fe-0ec2-4a99-ab8c-7ef08f05555a
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
fe85de62-a656-4b79-9d94-d95c89319bd9
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
d9f11fea-dd45-46aa-8908-b7a146f1e543
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
b90ec596-faa6-4c61-9515-34085703e260
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
07c818eb-df75-4465-9233-6a8667e86670
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
5f6f2aba-e57f-42ed-9aeb-ffa7321a56db
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
8d0726a6-abae-4b04-9d2e-1f2f67a47e6d
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a142867f-3142-4ac6-b952-ab950a29fca5
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
94d707a8-ce27-4851-9ce2-07dfe96a095b
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f969646f-b6b8-45a0-b736-bf9b4bb933dc
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
50cebe4c-8021-4f07-bcb2-6c80622444a9
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
00ec9865-beb6-4cfd-82ed-bd8f50756acd
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f873a711-0322-4744-8322-7e62950fbec2
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a8de4d0a-d637-4684-b70e-6df73b74d117
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
be9259e2-a221-4411-84fd-dd22c6691653
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
69214fad-6742-49a9-8f71-ee9d269364ab
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
ed6ae75a-828f-4fea-88fd-dead1145f1dd
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
106cd3bd-50a1-466c-869f-f9c2d310477b
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
8fc4ca5f-6abc-4b30-9565-0bd91ac49420
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a81eb966-6696-46b1-9153-bed01569a7d0
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
39aa567d-69c2-4cc0-aaa9-76c6d4006b14
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
e20f31d7-6b6d-4644-962a-ae513a85ab0b
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
73fb42d8-b57f-41cd-a840-8f4dedb1dd27
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
2023-02-10 18:41:56
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f08edf17-5de2-4966-8c62-a50a3f4368ff
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a285df35-0164-4f4d-9e04-c39056742c55
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
fc66c506-9397-485e-9451-acc1525f0070
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
3a8ff864-d881-44ce-bed3-0c63ede634cb
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
edf35972-ed56-4c2f-a4a1-65f0471ba702
API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
change
2023-02-10 18:41:56
Patch (1.0.1 > 1.0.2)
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
b88bfd90-4da5-43eb-936f-ae1481924291
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
90c90eda-bfe7-4c67-bf26-410420ed1047
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
f6d5d5d5-0fa9-4257-b820-69c35016c973
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
0f708273-cf83-4d29-b31b-ebaf8d0eb8c2
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
a9ebdeda-251a-4311-92be-5167d73b1682
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
2023-02-10 18:41:56
c3b912c2-7f5b-47ac-bd52-8c85a7667961
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2023-02-03 18:39:01
Minor (2.1.0 > 2.2.0)
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2023-02-03 18:39:01
Minor (2.0.0 > 2.1.0)
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2023-02-03 18:39:01
Minor (2.1.0 > 2.2.0)
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-02-03 18:39:01
Minor (1.0.1 > 1.2.1)
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-03 18:39:01
Minor (1.0.1 > 1.1.0)
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2023-02-03 18:39:01
Minor (4.0.0 > 4.1.0)
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2023-02-03 18:39:01
Minor (6.0.0 > 6.1.0)
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-02-03 18:39:01
Minor (1.0.1 > 1.1.0)
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2023-02-03 18:39:01
Minor (2.0.0 > 2.1.0)
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-27 18:40:07
Patch (3.0.0 > 3.0.1)
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2023-01-27 18:40:07
Minor (1.1.0 > 1.2.0)
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2023-01-27 18:40:07
Minor (1.1.0 > 1.2.0)
API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Default
Audit
Allowed
Audit, Disabled, Deny
change
2023-01-27 18:40:07
Minor (1.0.0 > 1.1.0)
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed
deployIfNotExists
count: 001
Contributor
change
2023-01-27 18:40:07
Minor (1.0.1 > 1.1.0)
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
User Access Administrator
change
2023-01-27 18:40:07
Minor (3.1.0 > 3.2.0)
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 [Preview]: Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-01-27 18:40:07
12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5
Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2023-01-23 18:07:09
Patch (3.0.0 > 3.0.1)
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-01-23 18:07:09
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
2023-01-23 18:07:09
Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-23 18:07:09
Minor (2.0.0 > 2.1.0)
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Kubernetes Extension Contributor
change
2023-01-23 18:07:09
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
2023-01-23 18:07:09
2514263b-bc0d-4b06-ac3e-f262c0979018
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-23 18:07:09
Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Key Vault Contributor
Network Contributor
change
2023-01-23 18:07:09
Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Backup 9798d31d-6028-4dee-8643-46102185c016 [Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Default
Audit
Allowed
Audit, Disabled
add
2023-01-23 18:07:09
9798d31d-6028-4dee-8643-46102185c016
Web PubSub b66ab71c-582d-4330-adfd-ac162e78691e Azure Web PubSub Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-01-13 18:06:06
b66ab71c-582d-4330-adfd-ac162e78691e
Event Hub 0602787f-9896-402a-a6e1-39ee63ee435e Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-01-13 18:06:06
0602787f-9896-402a-a6e1-39ee63ee435e
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
2023-01-13 18:06:06
Patch (4.0.0 > 4.0.1)
Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Backup 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 [Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Audit
Allowed
Audit, Deny, Disabled
add
2023-01-13 18:06:06
9ebbbba3-4d65-4da9-bb67-b22cfaaff090
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use the latest 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-01-13 18:06:06
Minor (3.0.0 > 3.1.0)
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-01-13 18:06:06
Minor (4.0.0 > 4.1.0)
SQL 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-01-13 18:06:06
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
2023-01-13 18:06:06
Minor (9.0.0 > 9.1.0)
Key Vault 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 [Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Key Vault 86810a98-8e91-4a44-8386-ec66d0de5d57 [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
2023-01-13 18:06:06
Patch (1.0.0 > 1.0.1)
Update Management Center bfea026e-043f-4ff4-9d1b-bf301ca7ff46 [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
2023-01-13 18:06:06
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Service Bus cbd11fd3-3002-4907-b6c8-579f0e700e13 Service Bus Namespaces should disable public network access Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Minor (1.0.0 > 1.1.0)
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0)
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
2023-01-13 18:06:06
Minor (9.0.0 > 9.1.0)
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
2023-01-13 18:06:06
Minor (9.0.0 > 9.1.0)
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 [Preview]: Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2023-01-13 18:06:06
Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
Key Vault ad27588c-0198-4c84-81ef-08efd0274653 [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Web PubSub 17f9d984-90c8-43dd-b7a6-76cb694815c1 Configure Azure Web PubSub Service to disable local authentication Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled
count: 001
SignalR/Web PubSub Contributor
add
2023-01-13 18:06:06
17f9d984-90c8-43dd-b7a6-76cb694815c1
Machine Learning ee40564d-486e-4f68-a5ca-7a621edae0fb Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
2023-01-13 18:06:06
Minor (1.0.0 > 1.1.0)
Key Vault e58fd0c1-feac-4d12-92db-0a7e9421f53e [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
2023-01-13 18:06:06
Minor (9.0.0 > 9.1.0)
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL DB Contributor
change
2023-01-13 18:06:06
Minor (2.1.0 > 2.2.0)
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Preview]: Configure Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
2023-01-13 18:06:06
Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 [Preview]: Audit Azure Machine Learning Compute Instances with an outdated operating system Compute instances are non-compliant if the instance has an outdated operating system version. For more information, visit http://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
add
2023-01-13 18:06:06
f110a506-2dcb-422e-bcea-d533fc8c35e2
Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default
Audit
Allowed
Audit, Deny, Disabled
change
2023-01-13 18:06:06
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default
Audit
Allowed
Audit, Disabled
change
2023-01-13 18:06:06
Patch (1.0.0 > 1.0.1)
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
2023-01-04 18:03:56
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
2023-01-04 18:03:56
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center 221aac80-54d8-484b-83d7-24f4feac2ce0 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
ChangeTrackingAndInventory 8fd85785-1547-4a4a-bf90-d5483c9571c5 [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
8fd85785-1547-4a4a-bf90-d5483c9571c5
Security Center 8893442c-e7cb-4637-bab8-299a5d4ed96a [Preview]: ChangeTracking extension should be installed on your Linux virtual machine Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspace should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-12-21 17:43:51
138ff14d-b687-4faa-a81c-898c91a87fa2
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Clusters that are part of Azure Databricks Workspaces should disable public IP Clusters part of Azure Databricks Workspaces should have public IP disabled. Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the resource isn't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-12-21 17:43:51
51c1490f-3319-459c-bbbc-7f391bbed753
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
2022-12-21 17:43:51
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center e71c1e29-9c76-4532-8c4b-cb0573b0014c [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (1.0.1 > 2.0.0)
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
2022-12-21 17:43:51
09a1f130-7697-42bc-8d84-8a9ea17e5187
ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
ef9fe2ce-a588-4edd-829c-6247069dcfdb
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
2022-12-21 17:43:51
cd22fc48-f2c9-4b86-98d3-ec1268b46a8a
Update Management Center bd876905-5b84-4f73-ab2d-2e7a7c4568d9 [Preview]: Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-12-21 17:43:51
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d00 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (2.0.1-preview > 3.0.0-preview)
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (3.0.0 > 4.0.0)
Security Center ec88097d-843f-4a92-8471-78016d337ba4 [Preview]: Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
2022-12-21 17:43:51
a7acfae7-9497-4a3f-a3b5-a16a50abbe2f
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Patch (4.0.0 > 4.0.1)
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (2.0.0 > 3.0.0)
Update Management Center 59efceea-0c96-497e-a4a1-4eb2290dac15 [Preview]: Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning workspace should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-12-21 17:43:51
afe0c3be-ba3b-4544-ba52-0c99672a8ad6
App Service 801543d1-1953-4a90-b8b0-8cf6d41473a5 App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-12-21 17:43:51
801543d1-1953-4a90-b8b0-8cf6d41473a5
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
09a1f130-7697-42bc-8d84-8a9ea17e5192
App Service f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-12-21 17:43:51
f5c0bfb3-acea-47b1-b477-b0edcdf6edc1
Update Management Center bfea026e-043f-4ff4-9d1b-bf301ca7ff46 [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (2.0.0 > 3.0.0)
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspace to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspace to stream resource logs to a Log Analytics workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (2.1.1-preview > 3.0.0-preview)
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
2022-12-21 17:43:51
Patch (2.0.0 > 2.0.1)
Guest Configuration 5fe81c49-16b6-4870-9cee-45d13bf902ce Local authentication methods should be disabled on Windows Servers Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-12-21 17:43:51
5fe81c49-16b6-4870-9cee-45d13bf902ce
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (3.0.0 > 4.0.0)
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
2022-12-21 17:43:51
ad1eeff9-20d7-4c82-a04e-903acab0bfc1
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
2022-12-21 17:43:51
4485d24b-a9d3-4206-b691-1fad83bc5007
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
2022-12-21 17:43:51
b73e81f3-6303-48ad-9822-b69fc00c15ef
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (1.0.1 > 2.0.0)
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 [Preview]: Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
ChangeTrackingAndInventory 1142b015-2bd7-41e0-8645-a531afe09a1e [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
1142b015-2bd7-41e0-8645-a531afe09a1e
ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
bef2d677-e829-492d-9a3d-f5a20fda818f
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (5.0.0 > 6.0.0)
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
2022-12-21 17:43:51
fad40cac-a972-4db0-b204-f1b15cced89a
ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
b6faa975-0add-4f35-8d1c-70bba45c4424
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 [Preview]: Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Kubernetes c5110b6e-5272-4989-9935-59ad06fdf341 Azure Kubernetes Clusters should enable Container Storage Interface(CSI) The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Disabled
add
2022-12-21 17:43:51
c5110b6e-5272-4989-9935-59ad06fdf341
App Service 5747353b-1ca9-42c1-a4dd-b874b894f3d4 App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-12-21 17:43:51
5747353b-1ca9-42c1-a4dd-b874b894f3d4
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
2022-12-21 17:43:51
56d0ed2b-60fc-44bf-af81-a78c851b5fe1
App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-21 17:43:51
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Update Management Center ba0df93e-e4ac-479a-aac2-134bbae39a1a [Preview]: Schedule recurring updates using Update Management Center You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning workspace to stream resource logs to a Log Analytics workspace when any Azure Machine Learning workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
2022-12-21 17:43:51
f59276f0-5740-4aaf-821d-45d185aa210e
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
change
2022-12-21 17:43:51
Patch (1.0.0 > 1.0.1)
App Service a691eacb-474d-47e4-b287-b4813ca44222 App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-12-21 17:43:51
a691eacb-474d-47e4-b287-b4813ca44222
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec [Preview]: Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Patch (4.0.0 > 4.0.1)
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-12-21 17:43:51
Major (3.0.0 > 4.0.0)
Monitoring c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed
deployIfNotExists
count: 002
Monitoring Contributor
Storage Account Contributor
change
2022-12-09 17:45:23
Patch (2.0.0 > 2.0.1)
SQL ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-12-09 17:45:23
Major (2.0.0 > 3.0.0)
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-11-04 17:41:52
Major (1.1.0 > 2.0.0)
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-11-04 17:41:52
Major (1.1.0 > 2.0.0)
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-11-04 17:41:52
Patch (3.0.0 > 3.0.1)
Security Center 1f90fc71-a595-4066-8974-d4d0802e8ef0 Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-11-04 17:41:52
1f90fc71-a595-4066-8974-d4d0802e8ef0
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-11-04 17:41:52
Major (2.1.0 > 3.0.0)
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
2022-11-04 17:41:52
689f7782-ef2c-4270-a6d0-7664869076bd
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Machine Learning computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-28 16:42:53
Major (1.0.0 > 2.0.0)
Automation dea83a72-443c-4292-83d5-54a2f98749c0 Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . Default
Audit
Allowed
Audit, Disabled
add
2022-10-28 16:42:53
dea83a72-443c-4292-83d5-54a2f98749c0
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
add
2022-10-28 16:42:53
938c4981-c2c9-4168-9cd6-972b8675f906
Update Management Center ba0df93e-e4ac-479a-aac2-134bbae39a1a [Preview]: Schedule recurring updates using Update Management Center You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2022-10-28 16:42:53
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Machine Learning computes to disable local authentication methods Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
2022-10-28 16:42:53
Major (1.0.0 > 2.0.0)
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-10-28 16:42:53
5485eac0-7e8f-4964-998b-a44f4f0c1e75
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (2.0.0 > 2.0.1)
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (2.0.0 > 2.0.1)
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists
count: 001
Virtual Machine Contributor
change
2022-10-21 16:42:13
Major (4.0.0 > 5.0.0)
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (4.0.0 > 4.0.1)
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (8.0.0 > 8.0.1)
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Azure Active Directory integration AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-10-21 16:42:13
Major (3.0.0 > 4.0.0)
Monitoring 8a04f872-51e9-4313-97fb-fc1c3543011c Azure Application Gateway should have Resource logs enabled Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-21 16:42:13
8a04f872-51e9-4313-97fb-fc1c3543011c
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-10-21 16:42:13
Major (3.0.0 > 4.0.0)
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (9.0.0 > 9.0.1)
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (3.0.0 > 3.0.1)
Kubernetes 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
2022-10-21 16:42:13
Patch, suffix changed: new suffix: deprecated; old suffix: version (4.1.0-version-deprecated > 4.1.1-deprecated)
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (9.0.0 > 9.0.1)
Regulatory Compliance 62fa14f0-4cbe-762d-5469-0899a99b98aa Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (7.0.0 > 7.0.1)
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-10-21 16:42:13
Major (3.0.0 > 4.0.0)
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (7.0.0 > 7.0.1)
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (2.0.0 > 2.0.1)
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
User Access Administrator
change
2022-10-21 16:42:13
Minor (3.0.0 > 3.1.0)
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (8.0.0 > 8.0.1)
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d [Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-10-21 16:42:13
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Kubernetes da6e2401-19da-4532-9141-fb8fbde08431 Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Default
Audit
Allowed
Audit, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (9.0.0 > 9.0.1)
Monitoring 8a04f872-51e9-4313-97fb-fc1c35430fd8 Azure Front Door should have Resource logs enabled Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-21 16:42:13
8a04f872-51e9-4313-97fb-fc1c35430fd8
Update Management Center 59efceea-0c96-497e-a4a1-4eb2290dac15 [Preview]: Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
2022-10-21 16:42:13
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
2022-10-21 16:42:13
Minor (2.2.0 > 2.3.0)
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (2.0.0 > 2.0.1)
Regulatory Compliance e3905a3c-97e7-0b4f-15fb-465c0927536f Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (4.0.0 > 4.0.1)
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Update Management Center bd876905-5b84-4f73-ab2d-2e7a7c4568d9 [Preview]: Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (5.0.0 > 5.0.1)
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (3.0.0 > 3.0.1)
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (6.0.0 > 6.0.1)
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists
count: 001
Log Analytics Contributor
change
2022-10-21 16:42:13
Major (4.0.0 > 5.0.0)
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Preview]: Kubernetes clusters should gate deployment of vulnerable images Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
2022-10-21 16:42:13
Minor (1.2.0 > 1.3.0)
Regulatory Compliance f33c3238-11d2-508c-877c-4262ec1132e1 Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 89f2d532-c53c-4f8f-9afa-4927b1114a0d Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Default
Audit
Allowed
Audit, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (7.0.0 > 7.0.1)
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (7.0.0 > 7.0.1)
Kubernetes 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Kubernetes 46238e2f-3f6f-4589-9f3f-77bed4116e67 Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Default
Audit
Allowed
Audit, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (8.0.0 > 8.0.1)
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f [Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
2022-10-21 16:42:13
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Regulatory Compliance a3e98638-51d4-4e28-910a-60e98c1a756f Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
2022-10-21 16:42:13
Patch (2.0.0 > 2.0.1)
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (8.0.0 > 8.0.1)
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-10-21 16:42:13
Patch (7.0.0 > 7.0.1)
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
2022-10-21 16:42:13
Patch (1.1.0 > 1.1.1)
Kubernetes 41425d9f-d1a5-499a-9932-f8ed8453932c Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-10-21 16:42:13
Major (3.0.0 > 4.0.0)
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-21 16:42:13
Patch (3.0.0 > 3.0.1)
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
2022-10-21 16:42:13
Patch (1.0.0 > 1.0.1)
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-10-21 16:42:13
Major (3.0.0 > 4.0.0)
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
2022-10-21 16:42:13
Patch (3.0.0 > 3.0.1)
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-14 16:34:37
63594bb8-43bb-4bf0-bbf8-c67e5c28cb65
App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-14 16:34:37
Major (2.0.0 > 3.0.0)
Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
2022-10-07 16:34:28
Minor (1.0.0 > 1.2.0)
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
fa3a6357-c6d6-4120-8429-855577ec0063
App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
2022-10-07 16:34:28
Major (3.0.0 > 4.0.0)
Synapse 8b5c654c-fb07-471b-aa8f-15fea733f140 Configure Azure Synapse Workspace Dedicated SQL minimum TLS version Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
2022-10-07 16:34:28
Minor (1.0.0 > 1.1.0)
App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
2022-10-07 16:34:28
1b5ef780-c53c-4a64-87f3-bb9c8c8094ba
App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
2374605e-3e0b-492b-9046-229af202562c
App Service 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
2022-10-07 16:34:28
11c82d0c-db9f-4d7b-97c5-f3f9aa957da2
App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
cd794351-e536-40f4-9750-503a463d8cad
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
014664e7-e348-41a3-aeb9-566e4ff6a9df
App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
242222f3-4985-4e99-b5ef-086d6a6cb01c
App Service 89691ef9-8c50-49a8-8950-9c7fba41699e Function app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
89691ef9-8c50-49a8-8950-9c7fba41699e
App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
User Access Administrator
change
2022-10-07 16:34:28
Major (2.1.0 > 3.0.0)
Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Azure Connected Machine Resource Administrator
Kubernetes Cluster - Azure Arc Onboarding
Network Contributor
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
App Service 4a15c15f-90d5-4a1f-8b63-2903944963fd App Service app slots should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
4a15c15f-90d5-4a1f-8b63-2903944963fd
App Service 701a595d-38fb-4a66-ae6d-fb3735217622 App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
2022-10-07 16:34:28
701a595d-38fb-4a66-ae6d-fb3735217622
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Azure Active Directory identities for authentication Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-10-07 16:34:28
2158ddbe-fefa-408e-b43f-d4faef8ff3b8
App Service d639b3af-a535-4bef-8dcf-15078cddf5e2 App Service app slots should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
d639b3af-a535-4bef-8dcf-15078cddf5e2
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-07 16:34:28
Patch (4.0.0 > 4.0.1)
Health Data Services workspace 64528841-2f92-43f6-a137-d52e5c3dbeac Azure Health Data Services workspace should use private link Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink. Default
Audit
Allowed
Audit, Disabled
add
2022-10-07 16:34:28
64528841-2f92-43f6-a137-d52e5c3dbeac
App Service ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
App Service 81dff7c0-4020-4b58-955d-c076a2136b56 [Deprecated]: Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service 4dcfb8b5-05cd-4090-a931-2ec29057e1fc App Service app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
4dcfb8b5-05cd-4090-a931-2ec29057e1fc
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
2022-10-07 16:34:28
Major (4.0.0 > 5.0.0)
App Service 0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
Kubernetes dbbdc317-9734-4dd8-9074-993b29c69008 Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. Default
Audit
Allowed
Audit, Disabled
add
2022-10-07 16:34:28
dbbdc317-9734-4dd8-9074-993b29c69008
App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
a08ae1ab-8d1d-422b-a123-df82b307ba61
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d [Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-10-07 16:34:28
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)
Azure Arc 12e7176a-4919-47ef-922b-34eda4c7f0ce Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-10-07 16:34:28
12e7176a-4919-47ef-922b-34eda4c7f0ce
App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 [Deprecated]: App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-10-07 16:34:28
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-10-07 16:34:28
Major (3.0.0 > 4.0.0)
Synapse cb3738a6-82a2-4a18-b87b-15217b9deff4 Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-10-07 16:34:28
Minor (1.0.0 > 1.1.0)
App Service 969ac98b-88a8-449f-883c-2e9adb123127 Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
2022-10-07 16:34:28
969ac98b-88a8-449f-883c-2e9adb123127
App Service 4ee5b817-627a-435a-8932-116193268172 App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
4ee5b817-627a-435a-8932-116193268172
Azure Arc 4002015b-1272-4dfb-8943-fed4aeec39b6 Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Kubernetes Cluster - Azure Arc Onboarding
add
2022-10-07 16:34:28
4002015b-1272-4dfb-8943-fed4aeec39b6
App Service deb528de-8f89-4101-881c-595899253102 Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
deb528de-8f89-4101-881c-595899253102
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-10-07 16:34:28
Patch (2.0.0 > 2.0.1)
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Patch (1.0.0 > 1.0.1)
App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f [Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
2022-10-07 16:34:28
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)
App Service fa98f1b1-1f56-4179-9faf-93ad82f3458f Function app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
fa98f1b1-1f56-4179-9faf-93ad82f3458f
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Patch (1.0.0 > 1.0.1)
App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Azure Active Directory identities for authentication Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
2022-10-07 16:34:28
c3624673-d2ff-48e0-b28c-5de1c6767c3c
App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
cca5adfe-626b-4cc6-8522-f5b6ed2391bd
App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
70adbb40-e092-42d5-a6f8-71c540a5efdb
App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-10-07 16:34:28
ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd
App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-10-07 16:34:28
c6c3e00e-d414-4ca4-914f-406699bb8eee
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-10-07 16:34:28
Patch (2.0.0 > 2.0.1)
App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-10-07 16:34:28
Major (3.0.0 > 4.0.0)
App Service a18c77f2-3d6d-497a-9f61-849a7e8a3b79 Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
change
2022-10-07 16:34:28
Major (1.0.0 > 2.0.0)
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
2022-10-05 16:36:28
Major (1.1.0 > 2.0.0)
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-30 16:34:23
3dc5edcd-002d-444c-b216-e123bbfa37c0
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Preview]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-30 16:34:23
ca88aadc-6e2b-416c-9de2-5a0f01d1693f
Security Center 6654c8c4-e6f8-43f8-8869-54327af7ce32 [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Preview]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-30 16:34:23
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-30 16:34:23
Major, suffix remains equal (6.0.0-preview > 7.0.0-preview)
Security Center 62b52eae-c795-44e3-94e8-1b3d264766fb [Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Synapse cfaf0007-99c7-4b01-b36b-4048872ac978 Azure Synapse Analytics dedicated SQL pools should enable encryption Enable transparent data encryption for Azure Synapse Analytics dedicated SQL pools to protect data-at-rest and meet compliance requirements. Please note that enabling transparent data encryption for the pool may impact query performance. More details can refer to https://go.microsoft.com/fwlink/?linkid=2147714 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-30 16:34:23
cfaf0007-99c7-4b01-b36b-4048872ac978
Security Center e8794316-d918-4565-b57d-6b38a06381a0 [Preview]: Azure Security agent should be installed on your Linux virtual machines Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-30 16:34:23
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Regulatory Compliance 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 Verify inaccurate or outdated PII CMA_C1823 - Verify inaccurate or outdated PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 69d90ee6-9f9f-262a-2038-d909fb4e5723 Identify spilled information CMA_0303 - Identify spilled information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 496b407d-9b9e-81e8-4ba4-44bc686b016a Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7d10debd-4775-85a7-1a41-7e128e0e8c50 Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e336d5f4-4d8f-0059-759c-ae10f63d1747 Enforce user uniqueness CMA_0250 - Enforce user uniqueness Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d25cbded-121e-0ed6-1857-dc698c9095b1 Take action in response to customer information CMA_C1554 - Take action in response to customer information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2b2f3a72-9e68-3993-2b69-13dcdecf8958 Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance db580551-0b3c-4ea1-8a4c-4cdb5feb340f Provide the logout capability CMA_C1055 - Provide the logout capability Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance af227964-5b8b-22a2-9364-06d2cb9d6d7c Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6b957f60-54cd-5752-44d5-ff5a64366c93 Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 86ecd378-a3a0-5d5b-207c-05e6aaca43fc Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cbfa1bd0-714d-8d6f-0480-2ad6a53972df Define and document government oversight CMA_C1587 - Define and document government oversight Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 92ede480-154e-0e22-4dca-8b46a74a3a51 Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 59f7feff-02aa-6539-2cf7-bea75b762140 Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f27a298f-9443-014a-0d40-fef12adf0259 Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance be1c34ab-295a-07a6-785c-36f63c1d223e Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 676c3c35-3c36-612c-9523-36d266a65000 Require developers to provide training CMA_C1611 - Require developers to provide training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 Keep accurate accounting of disclosures of information CMA_C1818 - Keep accurate accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 Monitor account activity CMA_0377 - Monitor account activity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d041726f-00e0-41ca-368c-b1a122066482 Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 29363ae1-68cd-01ca-799d-92c9197c8404 Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 10c4210b-3ec9-9603-050d-77e4d26c7ebb Enforce logical access CMA_0245 - Enforce logical access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 62fa14f0-4cbe-762d-5469-0899a99b98aa Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 043c1e56-5a16-52f8-6af8-583098ff3e60 Create a data inventory CMA_0096 - Create a data inventory Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance db28735f-518f-870e-15b4-49623cbe3aa0 Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8dad106-6444-5f55-307e-1e1cc9723e39 Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 Issue guidelines for ensuring data quality and integrity CMA_C1824 - Issue guidelines for ensuring data quality and integrity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 56fb5173-3865-5a5d-5fad-ae33e53e1577 Address information security issues CMA_C1742 - Address information security issues Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c6fe3856-4635-36b6-983c-070da12a953b Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e Implement methods for consumer requests CMA_0319 - Implement methods for consumer requests Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 203101f5-99a3-1491-1b56-acccd9b66a9e Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3eecf628-a1c8-1b48-1b5c-7ca781e97970 Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4b8fd5da-609b-33bf-9724-1c946285a14c Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance de251b09-4a5e-1204-4bef-62ac58d47999 Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ae5345d5-8dab-086a-7290-db43a3272198 Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e0c480bf-0d68-a42d-4cbb-b60f851f8716 Implement personnel screening CMA_0322 - Implement personnel screening Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3881168c-5d38-6f04-61cc-b5d87b2c4c58 Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7ad83b58-2042-085d-08f0-13e946f26f89 Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bf883b14-9c19-0f37-8825-5e39a8b66d5b Perform threat modeling CMA_0392 - Perform threat modeling Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4a6f5cbd-6c6b-006f-2bb1-091af1441bce Review malware detections report weekly CMA_0475 - Review malware detections report weekly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 32f22cfa-770b-057c-965b-450898425519 Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 Define a physical key management process CMA_0115 - Define a physical key management process Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8e920169-739d-40b5-3f99-c4d855327bb2 Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d7c1ecc3-2980-a079-1569-91aec8ac4a77 Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-27 16:35:32
Major, suffix remains equal (6.0.0-preview > 7.0.0-preview)
Regulatory Compliance ba78efc6-795c-64f4-7a02-91effbd34af9 Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1bc7fd64-291f-028e-4ed6-6e07886e163f Employ least privilege access CMA_0212 - Employ least privilege access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 518eafdd-08e5-37a9-795b-15a8d798056d Provide privacy training CMA_0415 - Provide privacy training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b470a37a-7a47-3792-34dd-7a793140702e Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 95eb7d09-9937-5df9-11d9-20317e3f60df Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 245fe58b-96f8-9f1e-48c5-7f49903f66fd Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3ad7f0bc-3d03-0585-4d24-529779bb02c2 Maintain availability of information CMA_C1644 - Maintain availability of information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5023a9e7-8e64-2db6-31dc-7bce27f796af Provide privacy notice to the public and to individuals CMA_C1861 - Provide privacy notice to the public and to individuals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2d2ca910-7957-23ee-2945-33f401606efc Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7a489c62-242c-5db9-74df-c073056d6fa3 Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 35de8462-03ff-45b3-5746-9d4603c74c56 Implement an insider threat program CMA_C1751 - Implement an insider threat program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6a379d74-903b-244a-4c44-838728bea6b0 Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5c33538e-02f8-0a7f-998b-a4c1e22076d3 Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 72889284-15d2-90b2-4b39-a1e9541e1152 Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance af38215f-70c4-0cd6-40c2-c52d86690a45 Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 575ed5e8-4c29-99d0-0e4d-689fb1d29827 Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6625638f-3ba1-7404-5983-0ea33d719d34 Review audit data CMA_0466 - Review audit data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ed87d27a-9abf-7c71-714c-61d881889da4 Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 97566dd7-78ae-4997-8b36-1c7bfe0d8121 [Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
Audit
Allowed
Audit, Disabled
change
2022-09-27 16:35:32
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Regulatory Compliance 41172402-8d73-64c7-0921-909083c086b0 Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 63f63e71-6c3f-9add-4c43-64de23e554a7 Manage gateways CMA_0363 - Manage gateways Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 834b7a4a-83ab-2188-1a26-9c5033d8173b Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance df2e9507-169b-4114-3a52-877561ee3198 Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3d399cf3-8fc6-0efc-6ab0-1412f1198517 Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ff1efad2-6b09-54cc-01bf-d386c4d558a8 Secure the interface to external systems CMA_0491 - Secure the interface to external systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eb598832-4bcc-658d-4381-3ecbe17b9866 Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3545c827-26ee-282d-4629-23952a12008b Conduct incident response testing CMA_0060 - Conduct incident response testing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3a868d0c-538f-968b-0191-bddb44da5b75 Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eaaae23f-92c9-4460-51cf-913feaea4d52 Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6f1de470-79f3-1572-866e-db0771352fc8 Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7d70383a-32f4-a0c2-61cf-a134851968c2 Determine legal authority to collect PII CMA_C1800 - Determine legal authority to collect PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 Notify when account is not needed CMA_0383 - Notify when account is not needed Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0471c6b7-1588-701c-2713-1fade73b75f6 Display an explicit logout message CMA_C1056 - Display an explicit logout message Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 13ef3484-3a51-785a-9c96-500f21f84edd Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f Perform vulnerability scans CMA_0393 - Perform vulnerability scans Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 037c0089-6606-2dab-49ad-437005b5035f Identify incident response personnel CMA_0301 - Identify incident response personnel Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 04837a26-2601-1982-3da7-bf463e6408f4 Develop configuration management plan CMA_C1232 - Develop configuration management plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cf79f602-1e60-5423-6c0c-e632c2ea1fc0 Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1ff03f2a-974b-3272-34f2-f6cd51420b30 Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 46ab2c5e-6654-1f58-8c83-e97a44f39308 Identify external service providers CMA_C1591 - Identify external service providers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cdcb825f-a0fb-31f9-29c1-ab566718499a Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance fe2dff43-0a8c-95df-0432-cb1c794b17d0 Notify users of system logon or access CMA_0382 - Notify users of system logon or access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 611ebc63-8600-50b6-a0e3-fef272457132 Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 677e1da4-00c3-287a-563d-f4a1cf9b99a0 Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 Update antivirus definitions CMA_0517 - Update antivirus definitions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b544f797-a73b-1be3-6d01-6b1a085376bc Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7c7032fe-9ce6-9092-5890-87a1a3755db1 Retain terminated user data CMA_0455 - Retain terminated user data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ad1d562b-a04b-15d3-6770-ed310b601cb5 Publish rules and regulations accessing Privacy Act records CMA_C1847 - Publish rules and regulations accessing Privacy Act records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c981fa70-2e58-8141-1457-e7f62ebc2ade Document organizational access agreements CMA_0192 - Document organizational access agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 015b4935-448a-8684-27c0-d13086356c33 Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9b8b05ec-3d21-215e-5d98-0f7cf0998202 Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e4b00788-7e1c-33ec-0418-d048508e095b Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8019d788-713d-90a1-5570-dac5052f517d Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bd6cbcba-4a2d-507c-53e3-296b5c238a8e Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bbb2e6d6-085f-5a35-a55d-e45daad38933 Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1e0d5ba8-a433-01aa-829c-86b06c9631ec Include dynamic reconfig of customer deployed resources CMA_C1364 - Include dynamic reconfig of customer deployed resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-27 16:35:32
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Compliance f7eb1d0b-6d4f-2d59-1591-7563e11a9313 Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance fad161f5-5261-401a-22dd-e037bae011bd Review threat protection status weekly CMA_0479 - Review threat protection status weekly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0a412110-3874-9f22-187a-c7a81c8a6704 Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ca748dfe-3e28-1d18-4221-89aea30aa0a5 Identify status of individual users CMA_C1316 - Identify status of individual users Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 34d38ea7-6754-1838-7031-d7fd07099821 Manage system and admin accounts CMA_0368 - Manage system and admin accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8e49107c-3338-40d1-02aa-d524178a2afe Deliver security assessment results CMA_C1147 - Deliver security assessment results Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 28aa060e-25c7-6121-05d8-a846f11433df Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 13939f8c-4cd5-a6db-9af4-9dfec35e3722 Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 33d34fac-56a8-1c0f-0636-3ed94892a709 Govern the allocation of resources CMA_0293 - Govern the allocation of resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 171e377b-5224-4a97-1eaa-62a3b5231dac Generate internal security alerts CMA_C1704 - Generate internal security alerts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 68a39c2b-0f17-69ee-37a3-aa10f9853a08 Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 14a4fd0a-9100-1e12-1362-792014a28155 Update contingency plan CMA_C1248 - Update contingency plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 39999038-9ef1-602a-158c-ce2367185230 Define performance metrics CMA_0124 - Define performance metrics Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6228396e-2ace-7ca5-3247-45767dbf52f4 Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3c93dba1-84fd-57de-33c7-ef0400a08134 Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 37546841-8ea1-5be0-214d-8ac599588332 Maintain incident response plan CMA_0352 - Maintain incident response plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 08c11b48-8745-034d-1c1b-a144feec73b9 Restrict use of open source software CMA_C1237 - Restrict use of open source software Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bd4dc286-2f30-5b95-777c-681f3a7913d3 Establish and document change control processes CMA_0265 - Establish and document change control processes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dbcef108-7a04-38f5-8609-99da110a2a57 Determine information protection needs CMA_C1750 - Determine information protection needs Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 311802f9-098d-0659-245a-94c5d47c0182 Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dad8a2e9-6f27-4fc2-8933-7e99fe700c9c Authorize remote access CMA_0024 - Authorize remote access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-27 16:35:32
Major (1.1.0 > 2.0.0)
Regulatory Compliance 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 291f20d4-8d93-1d73-89f3-6ce28b825563 Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7a114735-a420-057d-a651-9a73cd0416ef Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d8bbd80e-3bb1-5983-06c2-428526ec6a63 Establish a password policy CMA_0256 - Establish a password policy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4c385143-09fd-3a34-790c-a5fd9ec77ddc Provide role-based security training CMA_C1094 - Provide role-based security training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7d7a8356-5c34-9a95-3118-1424cfaf192a Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4edaca8c-0912-1ac5-9eaa-6a1057740fae Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 34aac8b2-488a-2b96-7280-5b9b481a317a Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0065241c-72e9-3b2c-556f-75de66332a94 Establish parameters for searching secret authenticators and verifiers CMA_0274 - Establish parameters for searching secret authenticators and verifiers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 509552f5-6528-3540-7959-fbeae4832533 Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8b333332-6efd-7c0d-5a9f-d1eb95105214 Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8587fce-138f-86e8-33a3-c60768bf1da6 Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 77cc89bb-774f-48d7-8a84-fb8c322c3000 Track software license usage CMA_C1235 - Track software license usage Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba Review file and folder activity CMA_0473 - Review file and folder activity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 13efd2d7-3980-a2a4-39d0-527180c009e8 Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e714b481-8fac-64a2-14a9-6f079b2501a4 Use privileged identity management CMA_0533 - Use privileged identity management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 03b6427e-6072-4226-4bd9-a410ab65317e Design an access control model CMA_0129 - Design an access control model Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2e7a98c9-219f-0d58-38dc-d69038224442 Protect the information security program plan CMA_C1732 - Protect the information security program plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 57927290-8000-59bf-3776-90c468ac5b4b Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance fc26e2fd-3149-74b4-5988-d64bb90f8ef7 Separately store backup information CMA_C1293 - Separately store backup information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 Control information flow CMA_0079 - Control information flow Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 056a723b-4946-9d2a-5243-3aa27c4d31a1 Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 085467a6-9679-5c65-584a-f55acefd0d43 Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 68d2e478-3b19-23eb-1357-31b296547457 Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eb1c944e-0e94-647b-9b7e-fdb8d2af0838 Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ef5a7059-6651-73b1-18b3-75b1b79c1565 Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4502e506-5f35-0df4-684f-b326e3cc7093 Terminate user session automatically CMA_C1054 - Terminate user session automatically Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ff136354-1c92-76dc-2dab-80fb7c6a9f1a Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 84245967-7882-54f6-2d34-85059f725b47 Establish an information security program CMA_0263 - Establish an information security program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 26daf649-22d1-97e9-2a8a-01b182194d59 Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e7422f08-65b4-50e4-3779-d793156e0079 Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d78f95ba-870a-a500-6104-8a5ce2534f19 Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 50e81644-923d-33fc-6ebb-9733bc8d1a06 Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 22457e81-3ec6-5271-a786-c3ca284601dd Isolate information spills CMA_0346 - Isolate information spills Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance fd81a1b3-2d7a-107c-507e-29b87d040c19 Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ffdaa742-0d6f-726f-3eac-6e6c34e36c93 Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0040d2e5-2779-170d-6a2c-1f5fca353335 Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Monitoring d4b065e2-fbda-4461-a42c-b0346aeb12a0 The legacy Log Analytics extension should not be installed on Linux virtual machines Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-27 16:35:32
d4b065e2-fbda-4461-a42c-b0346aeb12a0
Regulatory Compliance 318b2bd9-9c39-9f8b-46a7-048401f33476 Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5269d7e4-3768-501d-7e46-66c56c15622c Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 10874318-0bf7-a41f-8463-03e395482080 Correlate audit records CMA_0087 - Correlate audit records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 477bd136-7dd9-55f8-48ac-bae096b86a07 Develop POA&M CMA_C1156 - Develop POA&M Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8b077bff-516f-3983-6c42-c86e9a11868b Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f3c17714-8ce7-357f-4af2-a0baa63a063f Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 464a7d7a-2358-4869-0b49-6d582ca21292 Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1afada58-8b34-7ac2-a38a-983218635201 Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3b30aa25-0f19-6c04-5ca4-bd3f880a763d Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 27ab3ac0-910d-724d-0afa-1a2a01e996c0 Respond to rectification requests CMA_0442 - Respond to rectification requests Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c6aeb800-0b19-944d-92dc-59b893722329 Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ab02bb73-4ce1-89dd-3905-d93042809ba0 Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 48c816c5-2190-61fc-8806-25d6f3df162f Monitor access across the organization CMA_0376 - Monitor access across the organization Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3153d9c0-2584-14d3-362d-578b01358aeb Retain training records CMA_0456 - Retain training records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance adf517f3-6dcd-3546-9928-34777d0c277e Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a930f477-9dcb-2113-8aa7-45bb6fc90861 Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0803eaa7-671c-08a7-52fd-ac419f775e75 Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 34738025-5925-51f9-1081-f2d0060133ed Information security and personal data protection CMA_0332 - Information security and personal data protection Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 Develop security assessment plan CMA_C1144 - Develop security assessment plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 42116f15-5665-a52a-87bb-b40e64c74b6c Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eff6e4a5-3efe-94dd-2ed1-25d56a019a82 Distribute policies and procedures CMA_0185 - Distribute policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 516be556-1353-080d-2c2f-f46f000d5785 Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance af5ff768-a34b-720e-1224-e6b3214f3ba6 Establish an alternate processing site CMA_0262 - Establish an alternate processing site Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b6b32f80-a133-7600-301e-398d688e7e0c Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Monitoring bd58d393-162c-4134-bcd6-a6a5484a37a1 The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-27 16:35:32
bd58d393-162c-4134-bcd6-a6a5484a37a1
Regulatory Compliance 874a6f2e-2098-53bc-3a16-20dcdc425a7e Create configuration plan protection CMA_C1233 - Create configuration plan protection Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5b802722-71dd-a13d-2e7e-231e09589efb Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 585af6e9-90c0-4575-67a7-2f9548972e32 Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 57adc919-9dca-817c-8197-64d812070316 Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 97d91b33-7050-237b-3e23-a77d57d84e13 Issue public key certificates CMA_0347 - Issue public key certificates Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d661e9eb-4e15-5ba1-6f02-cdc467db0d6c Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 25a1f840-65d0-900a-43e4-bee253de04de Define requirements for managing assets CMA_0125 - Define requirements for managing assets Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 55be3260-a7a2-3c06-7fe6-072d07525ab7 Accept PIV credentials CMA_C1347 - Accept PIV credentials Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4012c2b7-4e0e-a7ab-1688-4aab43f14420 Map authenticated identities to individuals CMA_0372 - Map authenticated identities to individuals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f78fc35e-1268-0bca-a798-afcba9d2330a Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance df54d34f-65f3-39f1-103c-a0464b8615df Manage transfers between standby and active system components CMA_0371 - Manage transfers between standby and active system components Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 70057208-70cc-7b31-3c3a-121af6bc1966 Secure commitment from leadership CMA_0489 - Secure commitment from leadership Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4c6df5ff-4ef2-4f17-a516-0da9189c603b Assign account managers CMA_0015 - Assign account managers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8eea8c14-4d93-63a3-0c82-000343ee5204 Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 81b6267b-97a7-9aa5-51ee-d2584a160424 Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ba02d0a0-566a-25dc-73f1-101c726a19c5 Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e89436d8-6a93-3b62-4444-1d2a42ad56b2 Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 01ae60e2-38bb-0a32-7b20-d3a091423409 Implement system boundary protection CMA_0328 - Implement system boundary protection Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc Perform a risk assessment CMA_0388 - Perform a risk assessment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b9d45adb-471b-56a5-64d2-5b241f126174 Automate privacy controls CMA_C1817 - Automate privacy controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d02498e0-8a6f-6b02-8332-19adf6711d1e Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 271a3e58-1b38-933d-74c9-a580006b80aa Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f8a63511-66f1-503f-196d-d6217ee0823a Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5226dee6-3420-711b-4709-8e675ebd828f Update information security policies CMA_0518 - Update information security policies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 Generate error messages CMA_C1724 - Generate error messages Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a4493012-908c-5f48-a468-1e243be884ce Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2af4640d-11a6-a64b-5ceb-a468f4341c0c Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2b4e134f-1e4c-2bff-573e-082d85479b6e Develop an incident response plan CMA_0145 - Develop an incident response plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eab4450d-9e5c-4f38-0656-2ff8c78c83f3 Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 33602e78-35e3-4f06-17fb-13dd887448e4 Conduct capacity planning CMA_C1252 - Conduct capacity planning Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 524e7136-9f6a-75ba-9089-501018151346 Document security and privacy training activities CMA_0198 - Document security and privacy training activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 97f0d974-1486-01e2-2088-b888f46c0589 Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 01c387ea-383d-4ca9-295a-977fab516b03 Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6ab47bbf-867e-9113-7998-89b58f77326a Respond to complaints, concerns, or questions timely CMA_C1853 - Respond to complaints, concerns, or questions timely Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a1334a65-2622-28ee-5067-9d7f5b915cc5 Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ffea18d9-13de-6505-37f3-4c1f88070ad7 Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9c954fcf-6dd8-81f1-41b5-832ae5c62caf Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ced727b3-005e-3c5b-5cd5-230b79d56ee8 Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 06af77de-02ca-0f3e-838a-a9420fe466f5 Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8d140e8b-76c7-77de-1d46-ed1b2e112444 Restrict access to private keys CMA_0445 - Restrict access to private keys Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 836f8406-3b8a-11bb-12cb-6c7fa0765668 Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 33832848-42ab-63f3-1a55-c0ad309d44cd Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f49925aa-9b11-76ae-10e2-6e973cc60f37 Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8a703eb5-4e53-701b-67e4-05ba2f7930c8 Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1a2a03a4-9992-5788-5953-d8f6615306de Govern policies and procedures CMA_0292 - Govern policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 Provide information spillage training CMA_0413 - Provide information spillage training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5f2e834d-7e40-a4d5-a216-e49b16955ccf Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 423f6d9c-0c73-9cc6-64f4-b52242490368 Develop security safeguards CMA_0161 - Develop security safeguards Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 729c8708-2bec-093c-8427-2e87d2cd426d Automate notification of employee termination CMA_C1521 - Automate notification of employee termination Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6de65dc4-8b4f-34b7-9290-eb137a2e2929 Develop and document application security requirements CMA_0148 - Develop and document application security requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e1379836-3492-6395-451d-2f5062e14136 Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0e696f5a-451f-5c15-5532-044136538491 Protect audit information CMA_0401 - Protect audit information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b6ad009f-5c24-1dc0-a25e-74b60e4da45f Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e23444b9-9662-40f3-289e-6d25c02b48fa Review label activity and analytics CMA_0474 - Review label activity and analytics Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 1cb4d9c2-f88f-4069-bee0-dba239a57b09 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-27 16:35:32
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Regulatory Compliance eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance be38a620-000b-21cf-3cb3-ea151b704c3b Remediate information system flaws CMA_0427 - Remediate information system flaws Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3f1216b0-30ee-1ac9-3899-63eb744e85f5 Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f6da5cca-5795-60ff-49e1-4972567815fe Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d48a6f19-a284-6fc6-0623-3367a74d3f50 Update interconnection security agreements CMA_0519 - Update interconnection security agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 98e33927-8d7f-6d5f-44f5-2469b40b7215 Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 82bd024a-5c99-05d6-96ff-01f539676a1a Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-27 16:35:32
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-27 16:35:32
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Compliance 00f12b6f-10d7-8117-9577-0f2b76488385 Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b53aa659-513e-032c-52e6-1ce0ba46582f Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 396f465d-375e-57de-58ba-021adb008191 Invalidate session identifiers at logout CMA_C1661 - Invalidate session identifiers at logout Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b7306e73-0494-83a2-31f5-280e934a8f70 Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b Prohibit unfair practices CMA_0396 - Prohibit unfair practices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2cc9c165-46bd-9762-5739-d2aae5ba90a1 Automate account management CMA_0026 - Automate account management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0f31d98d-5ce2-705b-4aa5-b4f6705110dd Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 94c842e3-8098-38f9-6d3f-8872b790527d Remove or redact any PII CMA_C1833 - Remove or redact any PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0123edae-3567-a05a-9b05-b53ebe9d3e7e View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 979ed3b6-83f9-26bc-4b86-5b05464700bf Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b28c8687-4bbd-8614-0b96-cdffa1ac6d9c Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 79f081c7-1634-01a1-708e-376197999289 Review user accounts CMA_0480 - Review user accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 74041cfe-3f87-1d17-79ec-34ca5f895542 Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 44b71aa8-099d-8b97-1557-0e853ec38e0d Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 058e9719-1ff9-3653-4230-23f76b6492e0 Enforce security configuration settings CMA_0249 - Enforce security configuration settings Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 21633c09-804e-7fcd-78e3-635c6bfe2be7 Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f741c4e6-41eb-15a4-25a2-61ac7ca232f0 Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 449ebb52-945b-36e5-3446-af6f33770f8f Update the security authorization CMA_C1160 - Update the security authorization Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e7589f4e-1e8b-72c2-3692-1e14d7f3699f Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 91a54089-2d69-0f56-62dc-b6371a1671c0 Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 85335602-93f5-7730-830b-d43426fd51fa Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d9edcea6-6cb8-0266-a48c-2061fbac4310 Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1ee4c7eb-480a-0007-77ff-4ba370776266 Use system clocks for audit records CMA_0535 - Use system clocks for audit records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6baae474-434f-2e91-7163-a72df30c4847 Manage security state of information systems CMA_C1746 - Manage security state of information systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 84a01872-5318-049e-061e-d56734183e84 Distribute information system documentation CMA_C1584 - Distribute information system documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 70fe686f-1f91-7dab-11bf-bca4201e183b Review role group changes weekly CMA_0476 - Review role group changes weekly Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f476f3b0-4152-526e-a209-44e5f8c968d7 Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c79d378a-2521-822a-0407-57454f8d2c74 Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ee67c031-57fc-53d0-0cca-96c4c04345e8 Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ba99d512-3baa-1c38-8b0b-ae16bbd34274 Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f26af0b1-65b6-689a-a03f-352ad2d00f98 Audit privileged functions CMA_0019 - Audit privileged functions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-27 16:35:32
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)
Regulatory Compliance 2927e340-60e4-43ad-6b5f-7a1468232cc2 Configure detection whitelist CMA_0068 - Configure detection whitelist Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0fd1ca29-677b-2f12-1879-639716459160 Maintain data breach records CMA_0351 - Maintain data breach records Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 97cfd944-6f0c-7db2-3796-8e890ef70819 Establish conditions for role membership CMA_0269 - Establish conditions for role membership Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c42f19c9-5d88-92da-0742-371a0ea03126 Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d42a8f69-a193-6cbc-48b9-04a9e29961f1 Protect wireless access CMA_0411 - Protect wireless access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-27 16:35:32
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)
Regulatory Compliance e21f91d1-2803-0282-5f2d-26ebc4b170ef Update organizational access agreements CMA_0520 - Update organizational access agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 98145a9b-428a-7e81-9d14-ebb154a24f93 View and investigate restricted users CMA_0545 - View and investigate restricted users Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a44c9fba-43f8-4b7b-7ee6-db52c96b4366 Facilitate information sharing CMA_0284 - Facilitate information sharing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bab9ef1d-a16d-421a-822d-3fa94e808156 Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance de770ba6-50dd-a316-2932-e0d972eaa734 Require approval for account creation CMA_0431 - Require approval for account creation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance aeed863a-0f56-429f-945d-8bb66bd06841 Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2af551d5-1775-326a-0589-590bfb7e9eb2 Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a315c657-4a00-8eba-15ac-44692ad24423 Protect special information CMA_0409 - Protect special information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4e400494-53a5-5147-6f4d-718b539c7394 Manage compliance activities CMA_0358 - Manage compliance activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b4512986-80f5-1656-0c58-08866bd2673a Designate authorized personnel to post publicly accessible information CMA_C1083 - Designate authorized personnel to post publicly accessible information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5decc032-95bd-2163-9549-a41aba83228e Implement formal sanctions process CMA_0317 - Implement formal sanctions process Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance efef28d0-3226-966a-a1e8-70e89c1b30bc Retain security policies and procedures CMA_0454 - Retain security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c7e8ddc1-14aa-1814-7fe1-aad1742b27da Enforce expiration of cached authenticators CMA_C1343 - Enforce expiration of cached authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6c0a312f-04c5-5c97-36a5-e56763a02b6b Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5020f3f4-a579-2f28-72a8-283c5a0b15f9 Restrict communications CMA_0449 - Restrict communications Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ece8bb17-4080-5127-915f-dc7267ee8549 Verify security functions CMA_C1708 - Verify security functions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4781e5fd-76b8-7d34-6df3-a0a7fca47665 Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance de936662-13dc-204c-75ec-1af80f994088 Provide contingency training CMA_0412 - Provide contingency training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 18e7906d-4197-20fa-2f14-aaac21864e71 Document process to ensure integrity of PII CMA_C1827 - Document process to ensure integrity of PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9622aaa9-5c49-40e2-5bf8-660b7cd23deb Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 898a5781-2254-5a37-34c7-d78ea7c20d55 Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bb048641-6017-7272-7772-a008f285a520 Develop spillage response procedures CMA_0162 - Develop spillage response procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5bac5fb7-7735-357b-767d-02264bfe5c3b Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 39eb03c1-97cc-11ab-0960-6209ed2869f7 Establish a privacy program CMA_0257 - Establish a privacy program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d9af7f88-686a-5a8b-704b-eafdab278977 Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ced291b8-1d3d-7e27-40cf-829e9dd523c8 Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f29b17a4-0df2-8a50-058a-8570f9979d28 Assign system identifiers CMA_0018 - Assign system identifiers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b4e19d22-8c0e-7cad-3219-c84c62dc250f Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a08b18c7-9e0a-89f1-3696-d80902196719 Document access privileges CMA_0186 - Document access privileges Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 50e9324a-7410-0539-0662-2c1e775538b7 Authorize and manage access CMA_0023 - Authorize and manage access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8bb40df9-23e4-4175-5db3-8dba86349b73 Confirm quality and integrity of PII CMA_C1821 - Confirm quality and integrity of PII Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 92b49e92-570f-1765-804a-378e6c592e28 Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a830fe9e-08c9-a4fb-420c-6f6bf1702395 Review account provisioning logs CMA_0460 - Review account provisioning logs Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 90a156a6-49ed-18d1-1052-69aac27c05cd Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b0e3035d-6366-2e37-796e-8bcab9c649e6 Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c8aa992d-76b7-7ca0-07b3-31a58d773fa9 Employ automated training environment CMA_C1357 - Employ automated training environment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b320aa42-33b4-53af-87ce-100091d48918 Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e4054c0e-1184-09e6-4c5e-701e0bc90f81 Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 75b9db50-7906-2351-98ae-0458218609e5 Retain accounting of disclosures of information CMA_C1819 - Retain accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6610f662-37e9-2f71-65be-502bdc2f554d Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 12af7c7a-92af-9e96-0d0c-5e732d1a3751 Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7fc1f0da-0050-19bb-3d75-81ae15940df6 Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2b05dca2-25ec-9335-495c-29155f785082 Provide security training before providing access CMA_0418 - Provide security training before providing access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-27 16:35:32
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Regulatory Compliance 6f311b49-9b0d-8c67-3d6e-db80ae528173 Bind authenticators and identities dynamically CMA_0035 - Bind authenticators and identities dynamically Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e54901fe-42c2-7f3b-3c5f-327aa5320a69 Automate information sharing decisions CMA_0028 - Automate information sharing decisions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 21832235-7a07-61f4-530d-d596f76e5b95 Implement security testing, training, and monitoring plans CMA_C1753 - Implement security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2067b904-9552-3259-0cdd-84468e284b7c Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cc057769-01d9-95ad-a36f-1e62a7f9540b Update POA&M items CMA_C1157 - Update POA&M items Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance bfc540fe-376c-2eef-4355-121312fa4437 Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4ce91e4e-6dab-3c46-011a-aa14ae1561bf Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8aec4343-9153-9641-172c-defb201f56b3 Review cloud identity report overview CMA_0468 - Review cloud identity report overview Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6f3866e8-6e12-69cf-788c-809d426094a1 Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3d492600-27ba-62cc-a1c3-66eb919f6a0d Document remote access guidelines CMA_0196 - Document remote access guidelines Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 08ad71d0-52be-6503-4908-e015460a16ae Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 29acfac0-4bb4-121b-8283-8943198b1549 Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 54a9c072-4a93-2a03-6a43-a060d30383d7 Eradicate contaminated information CMA_0253 - Eradicate contaminated information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8b1f29eb-1b22-4217-5337-9207cb55231e Perform information input validation CMA_C1723 - Perform information input validation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1fdf0b24-4043-3c55-357e-036985d50b52 Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6bededc0-2985-54d5-4158-eb8bad8070a0 Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e6f7b584-877a-0d69-77d4-ab8b923a9650 Document separation of duties CMA_0204 - Document separation of duties Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 92b94485-1c49-3350-9ada-dffe94f08e87 Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 178c8b7e-1b6e-4289-44dd-2f1526b678a1 Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Monitoring 383c45fa-8b64-4d1c-aa9f-e69d2d879aa4 The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-27 16:35:32
383c45fa-8b64-4d1c-aa9f-e69d2d879aa4
Regulatory Compliance 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 333b4ada-4a02-0648-3d4d-d812974f1bb2 Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 80a97208-264e-79da-0cc7-4fca179a0c9c Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 77acc53d-0f67-6e06-7d04-5750653d4629 Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 214ea241-010d-8926-44cc-b90a96d52adc Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d200f199-69f4-95a6-90b0-37ff0cf1040c Provide the capability to extend or limit auditing on customer-deployed resources CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4ac81669-00e2-9790-8648-71bc11bc91eb Manage the transportation of assets CMA_0370 - Manage the transportation of assets Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b262e1dd-08e9-41d4-963a-258909ad794b Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 Keep SORNs updated CMA_C1863 - Keep SORNs updated Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb Document customer-defined actions CMA_C1582 - Document customer-defined actions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d18af1ac-0086-4762-6dc8-87cdded90e39 Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dd2523d5-2db3-642b-a1cf-83ac973b32c2 Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 16c54e01-9e65-7524-7c33-beda48a75779 Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c246d146-82b0-301f-32e7-1065dcd248b7 Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance aa892c0d-2c40-200c-0dd8-eac8c4748ede Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 055da733-55c6-9e10-8194-c40731057ec4 Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5fc24b95-53f7-0ed1-2330-701b539b97fe Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b5244f81-6cab-3188-2412-179162294996 Review publicly accessible content for nonpublic information CMA_C1086 - Review publicly accessible content for nonpublic information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 67ada943-8539-083d-35d0-7af648974125 Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 52375c01-4d4c-7acc-3aa4-5b3d53a047ec Define the duties of processors CMA_0127 - Define the duties of processors Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7805a343-275c-41be-9d62-7215b96212d8 Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c5784049-959f-6067-420c-f4cefae93076 Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1282809c-9001-176b-4a81-260a085f4872 Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d93fe1be-13e4-421d-9c21-3158e2fa2667 Implement plans of action and milestones for security program process CMA_C1737 - Implement plans of action and milestones for security program process Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2401b496-7f23-79b2-9f80-89bb5abf3d4a Protect incident response plan CMA_0405 - Protect incident response plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2f20840e-7925-221c-725d-757442753e7c Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5d3abfea-a130-1208-29c0-e57de80aa6b0 Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b65c5d8e-9043-9612-2c17-65f231d763bb Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d36700f2-2f0d-7c2a-059c-bdadd1d79f70 Establish a risk management strategy CMA_0258 - Establish a risk management strategy Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 Define cryptographic use CMA_0120 - Define cryptographic use Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 60442979-6333-85f0-84c5-b887bac67448 Evaluate alternate processing site capabilities CMA_C1266 - Evaluate alternate processing site capabilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2f204e72-1896-3bf8-75c9-9128b8683a36 Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 26d178a4-9261-6f04-a100-47ed85314c6e Implement security directives CMA_C1706 - Implement security directives Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a90c4d44-7fac-8e02-6d5b-0d92046b20e6 Automate flaw remediation CMA_0027 - Automate flaw remediation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c423e64d-995c-9f67-0403-b540f65ba42a Assess Security Controls CMA_C1145 - Assess Security Controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a8df9c78-4044-98be-2c05-31a315ac8957 Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 873895e8-0e3a-6492-42e9-22cd030e9fcd Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2c6bee3a-2180-2430-440d-db3c7a849870 Document security operations CMA_0202 - Document security operations Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f6794ab8-9a7d-3b24-76ab-265d3646232b Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 75b42dcf-7840-1271-260b-852273d7906e Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8747b573-8294-86a0-8914-49e9b06a5ace Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4ee5975d-2507-5530-a20a-83a725889c6f Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8cd815bf-97e1-5144-0735-11f6ddb50a59 Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dc7ec756-221c-33c8-0afe-c48e10e42321 Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c3b3cc61-9c70-5d78-7f12-1aefcc477db7 Review security testing, training, and monitoring plans CMA_C1754 - Review security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 70a7a065-a060-85f8-7863-eb7850ed2af9 Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3baee3fd-30f5-882c-018c-cc78703a0106 Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3c9aa856-6b86-35dc-83f4-bc72cec74dea Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 426c172c-9914-10d1-25dd-669641fc1af4 Enable detection of network devices CMA_0220 - Enable detection of network devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c72fc0c8-2df8-7506-30be-6ba1971747e1 Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e750ca06-1824-464a-2cf3-d0fa754d1cb4 Establish a secure software development program CMA_0259 - Establish a secure software development program Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 04b3e7f6-4841-888d-4799-cda19a0084f6 Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 35963d41-4263-0ef9-98d5-70eb058f9e3c Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 341bc9f1-7489-07d9-4ec6-971573e1546a Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3054c74b-9b45-2581-56cf-053a1a716c39 Accept assessment results CMA_C1150 - Accept assessment results Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8a9bb2f-7290-3259-85ce-dca7d521302d Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 725164e5-3b21-1ec2-7e42-14f077862841 Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Cosmos DB 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. Regenerate your keys in the specified time to keep your data more protected. Default
Audit
Allowed
Audit, Disabled
add
2022-09-27 16:35:32
9d83ccb1-f313-46ce-9d39-a198bfdb51a0
Regulatory Compliance c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance edcc36f1-511b-81e0-7125-abee29752fe7 Manage availability and capacity CMA_0356 - Manage availability and capacity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 678ca228-042d-6d8e-a598-c58d5670437d Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 20012034-96f0-85c2-4a86-1ae1eb457802 Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 27965e62-141f-8cca-426f-d09514ee5216 Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b1666a13-8f67-9c47-155e-69e027ff6823 Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8f835d6a-4d13-9a9c-37dc-176cebd37fda Document wireless access security controls CMA_C1695 - Document wireless access security controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5e4e9685-3818-5934-0071-2620c4fa2ca5 Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7ded6497-815d-6506-242b-e043e0273928 Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 93fa357f-2e38-22a9-5138-8cc5124e1923 Categorize information CMA_0052 - Categorize information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3af53f59-979f-24a8-540f-d7cdbc366607 Require users to sign access agreement CMA_0440 - Require users to sign access agreement Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d4f70530-19a2-2a85-6e0c-0c3c465e3325 Make accounting of disclosures available upon request CMA_C1820 - Make accounting of disclosures available upon request Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8c255136-994b-9616-79f5-ae87810e0dcf Enable network protection CMA_0238 - Enable network protection Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f8ded0c6-a668-9371-6bb6-661d58787198 Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dd6d00a8-701a-5935-a22b-c7b9c0c698b2 Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2f67e567-03db-9d1f-67dc-b6ffb91312f4 Determine auditable events CMA_0137 - Determine auditable events Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d91558ce-5a5c-551b-8fbb-83f793255e09 Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 09960521-759e-5d12-086f-4192a72a5e92 Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f9ec3263-9562-1768-65a1-729793635a8d Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a30bd8e9-7064-312a-0e1f-e1b485d59f6e Review exploit protection events CMA_0472 - Review exploit protection events Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 60ee1260-97f0-61bb-8155-5d8b75743655 Separate duties of individuals CMA_0492 - Separate duties of individuals Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 06f84330-4c27-21f7-72cd-7488afd50244 Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d136ae80-54dd-321c-98b4-17acf4af2169 Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 36b74844-4a99-4c80-1800-b18a516d1585 Control use of portable storage devices CMA_0083 - Control use of portable storage devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance afbecd30-37ee-a27b-8e09-6ac49951a0ee Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b33d61c1-7463-7025-0ec0-a47585b59147 Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 22c16ae4-19d0-29cb-422f-cb44061180ee Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c7d57a6a-7cc2-66c0-299f-83bf90558f5d Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6122970b-8d4a-7811-0278-4c6c68f61e4f Restrict media use CMA_0450 - Restrict media use Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f48b60c6-4b37-332f-7288-b6ea50d300eb Review controlled folder access events CMA_0471 - Review controlled folder access events Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b5a4be05-3997-1731-3260-98be653610f6 Perform disposition review CMA_0391 - Perform disposition review Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e9c60c37-65b0-2d72-6c3c-af66036203ae Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1cb7bf71-841c-4741-438a-67c65fdd7194 Provide security training for new users CMA_0419 - Provide security training for new users Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3ae68d9a-5696-8c32-62d3-c6f9c52e437c Refresh authenticators CMA_0425 - Refresh authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e435f7e3-0dd9-58c9-451f-9b44b96c0232 Implement controls to secure all media CMA_0314 - Implement controls to secure all media Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d4e6a629-28eb-79a9-000b-88030e4823ca Coordinate with external organizations to achieve cross org perspective CMA_C1368 - Coordinate with external organizations to achieve cross org perspective Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 49c23d9b-02b0-0e42-4f94-e8cef1b8381b Audit user account status CMA_0020 - Audit user account status Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 5c40f27b-6791-18c5-3f85-7b863bd99c11 Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a465e8e9-0095-85cb-a05f-1dd4960d02af Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 433de59e-7a53-a766-02c2-f80f8421469a Implement incident handling CMA_0318 - Implement incident handling Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 6abdf7c7-362b-3f35-099e-533ed50988f9 Assign information security representative to change control CMA_C1198 - Assign information security representative to change control Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance dad1887d-161b-7b61-2e4d-5124a7b5724e Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c148208b-1a6f-a4ac-7abc-23b1d41121b1 Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 3eabed6d-1912-2d3c-858b-f438d08d0412 Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 83dfb2b8-678b-20a0-4c44-5c75ada023e6 Document mobility training CMA_0191 - Document mobility training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f8d141b7-4e21-62a6-6608-c79336e36bc9 Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b269a749-705e-8bff-055a-147744675cdf Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9e3c505e-7aeb-2096-3417-b132242731fc Review content prior to posting publicly accessible information CMA_C1085 - Review content prior to posting publicly accessible information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance eda0cbb7-6043-05bf-645b-67411f1a59b3 Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 069101ac-4578-31da-0cd4-ff083edd3eb4 Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 20762f1e-85fb-31b0-a600-e833633f10fe Reveal error messages CMA_C1725 - Reveal error messages Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4f23967c-a74b-9a09-9dc2-f566f61a87b9 Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance db8b35d6-8adb-3f51-44ff-c648ab5b1530 Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a8f9c283-9a66-3eb3-9e10-bdba95b85884 Run simulation attacks CMA_0486 - Run simulation attacks Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c2eabc28-1e5c-78a2-a712-7cc176c44c07 Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance cb8841d4-9d13-7292-1d06-ba4d68384681 Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 92a7591f-73b3-1173-a09c-a08882d84c70 Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b2d3e5a2-97ab-5497-565a-71172a729d93 Protect passwords with encryption CMA_0408 - Protect passwords with encryption Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4aacaec9-0628-272c-3e83-0d68446694e0 Manage Authenticators CMA_C1321 - Manage Authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 Undergo independent security review CMA_0515 - Undergo independent security review Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 526ed90e-890f-69e7-0386-ba5c0f1f784f Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 27ce30dd-3d56-8b54-6144-e26d9a37a541 Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 8b1da407-5e60-5037-612e-2caa1b590719 Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7bdb79ea-16b8-453e-4ca4-ad5b16012414 Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1fb1cb0e-1936-6f32-42fd-89970b535855 Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b11697e8-9515-16f1-7a35-477d5c8a1344 Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f131c8c5-a54a-4888-1efc-158928924bc1 Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance afd5d60a-48d2-8073-1ec2-6687e22f2ddd Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f96d2186-79df-262d-3f76-f371e3b71798 Review user privileges CMA_C1039 - Review user privileges Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 0f4fa857-079d-9d3d-5c49-21f616189e03 Provide real-time alerts for audit event failures CMA_C1114 - Provide real-time alerts for audit event failures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e4e1f896-8a93-1151-43c7-0ad23b081ee2 Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a28323fe-276d-3787-32d2-cef6395764c4 Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c0559109-6a27-a217-6821-5a6d44f92897 Maintain integrity of audit system CMA_C1133 - Maintain integrity of audit system Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b7897ddc-9716-2460-96f7-7757ad038cc4 Assign risk designations CMA_0016 - Assign risk designations Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance c7fddb0e-3f44-8635-2b35-dc6b8e740b7c Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 096a7055-30cb-2db4-3fda-41b20ac72667 Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 4e45863d-9ea9-32b4-a204-2680bc6007a6 Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 623b5f0a-8cbd-03a6-4892-201d27302f0c Define information system account types CMA_0121 - Define information system account types Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 279052a0-8238-694d-9661-bf649f951747 Identify contaminated systems and components CMA_0300 - Identify contaminated systems and components Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f33c3238-11d2-508c-877c-4262ec1132e1 Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 37b0045b-3887-367b-8b4d-b9a6fa911bb9 Assess information security events CMA_0013 - Assess information security events Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 03d550b4-34ee-03f4-515f-f2e2faf7a413 Review access control policies and procedures CMA_0457 - Review access control policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7a0ecd94-3699-5273-76a5-edb8499f655a Determine assertion requirements CMA_0136 - Determine assertion requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b8689b2e-4308-a58b-a0b4-6f3343a000df Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 79c75b38-334b-1a69-65e0-a9d929a42f75 Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9150259b-617b-596d-3bf5-5ca3fce20335 Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e29a8f1b-149b-2fa3-969d-ebee1baa9472 Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance de077e7e-0cc8-65a6-6e08-9ab46c827b05 Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 11ba0508-58a8-44de-5f3a-9e05d80571da Develop business classification schemes CMA_0155 - Develop business classification schemes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ca6d7878-3189-1833-4620-6c7254ed1607 Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 55a7f9a0-6397-7589-05ef-5ed59a8149e7 Control physical access CMA_0081 - Control physical access Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 7380631c-5bf5-0e3a-4509-0873becd8a63 Establish a configuration control board CMA_0254 - Establish a configuration control board Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f2222056-062d-1060-6dc2-0107a68c34b2 Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 96333008-988d-4add-549b-92b3a8c42063 Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e8c31e15-642d-600f-78ab-bad47a5787e6 Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance a3e98638-51d4-4e28-910a-60e98c1a756f Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b4409bff-2287-8407-05fd-c73175a68302 Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 58a51cde-008b-1a5d-61b5-d95849770677 Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f30edfad-4e1d-1eef-27ee-9292d6d89842 Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 964b340a-43a4-4798-2af5-7aedf6cb001b Collect PII directly from the individual CMA_C1822 - Collect PII directly from the individual Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 Define mobile device requirements CMA_0122 - Define mobile device requirements Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 098a7b84-1031-66d8-4e78-bd15b5fd2efb Provide privacy notice CMA_0414 - Provide privacy notice Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance aa305b4d-8c84-1754-0c74-dec004e66be0 Develop contingency plan CMA_C1244 - Develop contingency plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1d39b5d9-0392-8954-8359-575ce1957d1a Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance ebb0ba89-6d8c-84a7-252b-7393881e43de Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b2ea1058-8998-3dd1-84f1-82132ad482fd Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d6653f89-7cb5-24a4-9d71-51581038231b Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance d8350d4c-9314-400b-288f-20ddfce04fbd Define and enforce the limit of concurrent sessions CMA_C1050 - Define and enforce the limit of concurrent sessions Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance e3905a3c-97e7-0b4f-15fb-465c0927536f Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 1beb1269-62ee-32cd-21ad-43d6c9750eb6 Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance b3c8cc83-20d3-3890-8bc8-5568777670f4 Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 53fc1282-0ee3-2764-1319-e20143bb0ea5 Review contingency plan CMA_C1247 - Review contingency plan Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance aa0ddd99-43eb-302d-3f8f-42b499182960 Install an alarm system CMA_0338 - Install an alarm system Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Regulatory Compliance 098dcde7-016a-06c3-0985-0daaf3301d3a Distribute authenticators CMA_0184 - Distribute authenticators Default
Manual
Allowed
Manual, Disabled
change
2022-09-27 16:35:32
Minor (1.0.0 > 1.1.0)
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
2022-09-23 16:35:49
Patch (3.0.0 > 3.0.1)
Security Center ec88097d-843f-4a92-8471-78016d337ba4 [Preview]: Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-23 16:35:49
Major (2.0.0 > 3.0.0)
Network 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-09-23 16:35:49
610b6183-5f00-4d68-86d2-4ab4cb3a67a5
Network 632d3993-e2c0-44ea-a7db-2eca131f356d Web Application Firewall (WAF) should enable all firewall rules for Application Gateway Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-23 16:35:49
Patch (1.0.0 > 1.0.1)
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec [Preview]: Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Storage 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-23 16:35:49
Major (1.0.0 > 2.0.0)
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-23 16:35:49
Major (2.0.0 > 3.0.0)
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Monitoring d2185817-5b7e-473c-aadd-9de6ac114280 The legacy Log Analytics extension should not be installed on virtual machines Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-23 16:35:49
d2185817-5b7e-473c-aadd-9de6ac114280
Network 6484db87-a62d-4327-9f07-80a2cbdf333a Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-09-23 16:35:49
6484db87-a62d-4327-9f07-80a2cbdf333a
Monitoring df441472-4dae-4e4e-87b9-9205ba46be16 The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-23 16:35:49
df441472-4dae-4e4e-87b9-9205ba46be16
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 [Preview]: Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 [Preview]: Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-23 16:35:49
Major (2.0.0 > 3.0.0)
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-23 16:35:49
Major (2.0.0 > 3.0.0)
Network f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf Subscription should configure the Azure Firewall Premium to provide additional layer of protection Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-23 16:35:49
f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf
Network f516dc7a-4543-4d40-aad6-98f76a706b50 Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-09-23 16:35:49
f516dc7a-4543-4d40-aad6-98f76a706b50
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
2022-09-23 16:35:49
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
2022-09-23 16:35:49
357cbd2d-b5c0-4c73-b40c-6bd84f06ce09
Network 711c24bb-7f18-4578-b192-81a6161e1f17 Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-09-23 16:35:49
711c24bb-7f18-4578-b192-81a6161e1f17
Monitoring ba6881f9-ab93-498b-8bad-bb91b1d755bf The legacy Log Analytics extension should not be installed on virtual machine scale sets Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
2022-09-23 16:35:49
ba6881f9-ab93-498b-8bad-bb91b1d755bf
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-23 16:35:49
Major (2.0.0 > 3.0.0)
Regulatory Compliance 25a1f840-65d0-900a-43e4-bee253de04de Define requirements for managing assets CMA_0125 - Define requirements for managing assets Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
25a1f840-65d0-900a-43e4-bee253de04de
Regulatory Compliance e54901fe-42c2-7f3b-3c5f-327aa5320a69 Automate information sharing decisions CMA_0028 - Automate information sharing decisions Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e54901fe-42c2-7f3b-3c5f-327aa5320a69
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Regulatory Compliance e21f91d1-2803-0282-5f2d-26ebc4b170ef Update organizational access agreements CMA_0520 - Update organizational access agreements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e21f91d1-2803-0282-5f2d-26ebc4b170ef
Regulatory Compliance 524e7136-9f6a-75ba-9089-501018151346 Document security and privacy training activities CMA_0198 - Document security and privacy training activities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
524e7136-9f6a-75ba-9089-501018151346
Regulatory Compliance d9af7f88-686a-5a8b-704b-eafdab278977 Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d9af7f88-686a-5a8b-704b-eafdab278977
Regulatory Compliance 4e400494-53a5-5147-6f4d-718b539c7394 Manage compliance activities CMA_0358 - Manage compliance activities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4e400494-53a5-5147-6f4d-718b539c7394
Regulatory Compliance afd5d60a-48d2-8073-1ec2-6687e22f2ddd Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
afd5d60a-48d2-8073-1ec2-6687e22f2ddd
Regulatory Compliance c981fa70-2e58-8141-1457-e7f62ebc2ade Document organizational access agreements CMA_0192 - Document organizational access agreements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
c981fa70-2e58-8141-1457-e7f62ebc2ade
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0
App Service c285a320-8830-4665-9cc7-bbd05fc7c5c0 App Service app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-19 17:41:40
c285a320-8830-4665-9cc7-bbd05fc7c5c0
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0dcbaf2f-075e-947b-8f4c-74ecc5cd302c
Regulatory Compliance d200f199-69f4-95a6-90b0-37ff0cf1040c Provide the capability to extend or limit auditing on customer-deployed resources CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d200f199-69f4-95a6-90b0-37ff0cf1040c
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
22a02c9a-49e4-5dc9-0d14-eb35ad717154
Regulatory Compliance 836f8406-3b8a-11bb-12cb-6c7fa0765668 Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
836f8406-3b8a-11bb-12cb-6c7fa0765668
Regulatory Compliance 3153d9c0-2584-14d3-362d-578b01358aeb Retain training records CMA_0456 - Retain training records Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3153d9c0-2584-14d3-362d-578b01358aeb
Regulatory Compliance 7a114735-a420-057d-a651-9a73cd0416ef Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
7a114735-a420-057d-a651-9a73cd0416ef
Regulatory Compliance cb8841d4-9d13-7292-1d06-ba4d68384681 Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
cb8841d4-9d13-7292-1d06-ba4d68384681
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f801d58e-5659-9a4a-6e8d-02c9334732e5
App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
a096cbd0-4693-432f-9374-682f485f23f3
App Service a1a22235-dd10-4062-bd55-7d62778f41b0 Function app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-19 17:41:40
a1a22235-dd10-4062-bd55-7d62778f41b0
Regulatory Compliance 2f204e72-1896-3bf8-75c9-9128b8683a36 Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
2f204e72-1896-3bf8-75c9-9128b8683a36
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d
Regulatory Compliance 6f311b49-9b0d-8c67-3d6e-db80ae528173 Bind authenticators and identities dynamically CMA_0035 - Bind authenticators and identities dynamically Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
6f311b49-9b0d-8c67-3d6e-db80ae528173
App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
add
2022-09-19 17:41:40
2f7c08c2-f671-4282-9fdb-597b6ef2c10d
Regulatory Compliance c6fe3856-4635-36b6-983c-070da12a953b Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
c6fe3856-4635-36b6-983c-070da12a953b
Regulatory Compliance 8f835d6a-4d13-9a9c-37dc-176cebd37fda Document wireless access security controls CMA_C1695 - Document wireless access security controls Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
8f835d6a-4d13-9a9c-37dc-176cebd37fda
Regulatory Compliance 464a7d7a-2358-4869-0b49-6d582ca21292 Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
464a7d7a-2358-4869-0b49-6d582ca21292
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
2022-09-19 17:41:40
Major (3.0.0 > 4.0.0)
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (8.0.0 > 9.0.0)
Regulatory Compliance 318b2bd9-9c39-9f8b-46a7-048401f33476 Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
318b2bd9-9c39-9f8b-46a7-048401f33476
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (7.0.1 > 8.0.0)
Regulatory Compliance 90a156a6-49ed-18d1-1052-69aac27c05cd Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
90a156a6-49ed-18d1-1052-69aac27c05cd
Regulatory Compliance 04837a26-2601-1982-3da7-bf463e6408f4 Develop configuration management plan CMA_C1232 - Develop configuration management plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
04837a26-2601-1982-3da7-bf463e6408f4
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (8.0.0 > 9.0.0)
Regulatory Compliance d91558ce-5a5c-551b-8fbb-83f793255e09 Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d91558ce-5a5c-551b-8fbb-83f793255e09
Regulatory Compliance 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
91cf132e-0c9f-37a8-a523-dc6a92cd2fb2
Regulatory Compliance 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6
Regulatory Compliance c6aeb800-0b19-944d-92dc-59b893722329 Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
c6aeb800-0b19-944d-92dc-59b893722329
Regulatory Compliance b7306e73-0494-83a2-31f5-280e934a8f70 Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b7306e73-0494-83a2-31f5-280e934a8f70
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (1.1.0 > 2.0.0)
Regulatory Compliance cbfa1bd0-714d-8d6f-0480-2ad6a53972df Define and document government oversight CMA_C1587 - Define and document government oversight Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
cbfa1bd0-714d-8d6f-0480-2ad6a53972df
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (5.0.2 > 6.0.0)
Regulatory Compliance 7fc1f0da-0050-19bb-3d75-81ae15940df6 Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
7fc1f0da-0050-19bb-3d75-81ae15940df6
Regulatory Compliance 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3e37c891-840c-3eb4-78d2-e2e0bb5063e0
Regulatory Compliance 6baae474-434f-2e91-7163-a72df30c4847 Manage security state of information systems CMA_C1746 - Manage security state of information systems Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
6baae474-434f-2e91-7163-a72df30c4847
Regulatory Compliance 8e920169-739d-40b5-3f99-c4d855327bb2 Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
8e920169-739d-40b5-3f99-c4d855327bb2
Regulatory Compliance 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
76d66b5c-85e4-93f5-96a5-ebb2fad61dc6
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance aa305b4d-8c84-1754-0c74-dec004e66be0 Develop contingency plan CMA_C1244 - Develop contingency plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
aa305b4d-8c84-1754-0c74-dec004e66be0
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (3.0.1 > 4.0.0)
Regulatory Compliance d7c1ecc3-2980-a079-1569-91aec8ac4a77 Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d7c1ecc3-2980-a079-1569-91aec8ac4a77
Regulatory Compliance 94c842e3-8098-38f9-6d3f-8872b790527d Remove or redact any PII CMA_C1833 - Remove or redact any PII Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
94c842e3-8098-38f9-6d3f-8872b790527d
Regulatory Compliance 898a5781-2254-5a37-34c7-d78ea7c20d55 Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
898a5781-2254-5a37-34c7-d78ea7c20d55
Regulatory Compliance 09960521-759e-5d12-086f-4192a72a5e92 Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
09960521-759e-5d12-086f-4192a72a5e92
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (6.0.2 > 7.0.0)
Regulatory Compliance 3af53f59-979f-24a8-540f-d7cdbc366607 Require users to sign access agreement CMA_0440 - Require users to sign access agreement Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3af53f59-979f-24a8-540f-d7cdbc366607
Regulatory Compliance f49925aa-9b11-76ae-10e2-6e973cc60f37 Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f49925aa-9b11-76ae-10e2-6e973cc60f37
Regulatory Compliance a1334a65-2622-28ee-5067-9d7f5b915cc5 Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a1334a65-2622-28ee-5067-9d7f5b915cc5
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance a8df9c78-4044-98be-2c05-31a315ac8957 Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a8df9c78-4044-98be-2c05-31a315ac8957
Regulatory Compliance 0471c6b7-1588-701c-2713-1fade73b75f6 Display an explicit logout message CMA_C1056 - Display an explicit logout message Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0471c6b7-1588-701c-2713-1fade73b75f6
Regulatory Compliance 037c0089-6606-2dab-49ad-437005b5035f Identify incident response personnel CMA_0301 - Identify incident response personnel Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
037c0089-6606-2dab-49ad-437005b5035f
Regulatory Compliance b7897ddc-9716-2460-96f7-7757ad038cc4 Assign risk designations CMA_0016 - Assign risk designations Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b7897ddc-9716-2460-96f7-7757ad038cc4
Regulatory Compliance ba99d512-3baa-1c38-8b0b-ae16bbd34274 Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ba99d512-3baa-1c38-8b0b-ae16bbd34274
Regulatory Compliance 396f465d-375e-57de-58ba-021adb008191 Invalidate session identifiers at logout CMA_C1661 - Invalidate session identifiers at logout Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
396f465d-375e-57de-58ba-021adb008191
Regulatory Compliance 55be3260-a7a2-3c06-7fe6-072d07525ab7 Accept PIV credentials CMA_C1347 - Accept PIV credentials Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
55be3260-a7a2-3c06-7fe6-072d07525ab7
Regulatory Compliance 96333008-988d-4add-549b-92b3a8c42063 Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
96333008-988d-4add-549b-92b3a8c42063
Regulatory Compliance bfc540fe-376c-2eef-4355-121312fa4437 Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
bfc540fe-376c-2eef-4355-121312fa4437
Regulatory Compliance e750ca06-1824-464a-2cf3-d0fa754d1cb4 Establish a secure software development program CMA_0259 - Establish a secure software development program Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e750ca06-1824-464a-2cf3-d0fa754d1cb4
Regulatory Compliance de077e7e-0cc8-65a6-6e08-9ab46c827b05 Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
de077e7e-0cc8-65a6-6e08-9ab46c827b05
Regulatory Compliance b320aa42-33b4-53af-87ce-100091d48918 Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b320aa42-33b4-53af-87ce-100091d48918
Regulatory Compliance b65c5d8e-9043-9612-2c17-65f231d763bb Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b65c5d8e-9043-9612-2c17-65f231d763bb
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (5.0.0 > 6.0.0)
Regulatory Compliance 14a4fd0a-9100-1e12-1362-792014a28155 Update contingency plan CMA_C1248 - Update contingency plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
14a4fd0a-9100-1e12-1362-792014a28155
Regulatory Compliance 6de65dc4-8b4f-34b7-9290-eb137a2e2929 Develop and document application security requirements CMA_0148 - Develop and document application security requirements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
6de65dc4-8b4f-34b7-9290-eb137a2e2929
Regulatory Compliance adf517f3-6dcd-3546-9928-34777d0c277e Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
adf517f3-6dcd-3546-9928-34777d0c277e
Regulatory Compliance be1c34ab-295a-07a6-785c-36f63c1d223e Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
be1c34ab-295a-07a6-785c-36f63c1d223e
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (3.0.0 > 4.0.0)
Regulatory Compliance 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0716f0f5-4955-2ccb-8d5e-c6be14d57c0f
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Regulatory Compliance 53fc1282-0ee3-2764-1319-e20143bb0ea5 Review contingency plan CMA_C1247 - Review contingency plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
53fc1282-0ee3-2764-1319-e20143bb0ea5
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance 60442979-6333-85f0-84c5-b887bac67448 Evaluate alternate processing site capabilities CMA_C1266 - Evaluate alternate processing site capabilities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
60442979-6333-85f0-84c5-b887bac67448
Regulatory Compliance 1a2a03a4-9992-5788-5953-d8f6615306de Govern policies and procedures CMA_0292 - Govern policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1a2a03a4-9992-5788-5953-d8f6615306de
Regulatory Compliance 2401b496-7f23-79b2-9f80-89bb5abf3d4a Protect incident response plan CMA_0405 - Protect incident response plan Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
2401b496-7f23-79b2-9f80-89bb5abf3d4a
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (4.0.0 > 5.0.0)
Regulatory Compliance 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 Monitor account activity CMA_0377 - Monitor account activity Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
7b28ba4f-0a87-46ac-62e1-46b7c09202a8
App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
add
2022-09-19 17:41:40
24b7a1c6-44fe-40cc-a2e6-242d2ef70e98
App Service a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b
Regulatory Compliance b262e1dd-08e9-41d4-963a-258909ad794b Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b262e1dd-08e9-41d4-963a-258909ad794b
Regulatory Compliance 77cc89bb-774f-48d7-8a84-fb8c322c3000 Track software license usage CMA_C1235 - Track software license usage Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
77cc89bb-774f-48d7-8a84-fb8c322c3000
Regulatory Compliance 00f12b6f-10d7-8117-9577-0f2b76488385 Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
00f12b6f-10d7-8117-9577-0f2b76488385
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (4.0.1 > 5.0.0)
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance 0a412110-3874-9f22-187a-c7a81c8a6704 Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0a412110-3874-9f22-187a-c7a81c8a6704
Regulatory Compliance 3a868d0c-538f-968b-0191-bddb44da5b75 Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3a868d0c-538f-968b-0191-bddb44da5b75
Regulatory Compliance 085467a6-9679-5c65-584a-f55acefd0d43 Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
085467a6-9679-5c65-584a-f55acefd0d43
Regulatory Compliance c8aa992d-76b7-7ca0-07b3-31a58d773fa9 Employ automated training environment CMA_C1357 - Employ automated training environment Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
c8aa992d-76b7-7ca0-07b3-31a58d773fa9
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
add
2022-09-19 17:41:40
5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71
Regulatory Compliance 5bac5fb7-7735-357b-767d-02264bfe5c3b Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
5bac5fb7-7735-357b-767d-02264bfe5c3b
Regulatory Compliance dad1887d-161b-7b61-2e4d-5124a7b5724e Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
dad1887d-161b-7b61-2e4d-5124a7b5724e
Regulatory Compliance edcc36f1-511b-81e0-7125-abee29752fe7 Manage availability and capacity CMA_0356 - Manage availability and capacity Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
edcc36f1-511b-81e0-7125-abee29752fe7
Regulatory Compliance eb598832-4bcc-658d-4381-3ecbe17b9866 Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
eb598832-4bcc-658d-4381-3ecbe17b9866
Regulatory Compliance ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab
Regulatory Compliance ff136354-1c92-76dc-2dab-80fb7c6a9f1a Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ff136354-1c92-76dc-2dab-80fb7c6a9f1a
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Regulatory Compliance 729c8708-2bec-093c-8427-2e87d2cd426d Automate notification of employee termination CMA_C1521 - Automate notification of employee termination Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
729c8708-2bec-093c-8427-2e87d2cd426d
Regulatory Compliance 3eabed6d-1912-2d3c-858b-f438d08d0412 Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3eabed6d-1912-2d3c-858b-f438d08d0412
Regulatory Compliance 171e377b-5224-4a97-1eaa-62a3b5231dac Generate internal security alerts CMA_C1704 - Generate internal security alerts Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
171e377b-5224-4a97-1eaa-62a3b5231dac
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (4.0.1 > 5.0.0)
Regulatory Compliance 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1fdeb7c4-4c93-8271-a135-17ebe85f1cc7
Regulatory Compliance 22457e81-3ec6-5271-a786-c3ca284601dd Isolate information spills CMA_0346 - Isolate information spills Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
22457e81-3ec6-5271-a786-c3ca284601dd
Regulatory Compliance ba02d0a0-566a-25dc-73f1-101c726a19c5 Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ba02d0a0-566a-25dc-73f1-101c726a19c5
Regulatory Compliance f8a63511-66f1-503f-196d-d6217ee0823a Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f8a63511-66f1-503f-196d-d6217ee0823a
Regulatory Compliance 9c954fcf-6dd8-81f1-41b5-832ae5c62caf Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
9c954fcf-6dd8-81f1-41b5-832ae5c62caf
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (7.0.0 > 8.0.0)
Regulatory Compliance d25cbded-121e-0ed6-1857-dc698c9095b1 Take action in response to customer information CMA_C1554 - Take action in response to customer information Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d25cbded-121e-0ed6-1857-dc698c9095b1
Regulatory Compliance f6794ab8-9a7d-3b24-76ab-265d3646232b Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f6794ab8-9a7d-3b24-76ab-265d3646232b
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (5.0.1 > 6.0.0)
Regulatory Compliance df54d34f-65f3-39f1-103c-a0464b8615df Manage transfers between standby and active system components CMA_0371 - Manage transfers between standby and active system components Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
df54d34f-65f3-39f1-103c-a0464b8615df
Regulatory Compliance dc7ec756-221c-33c8-0afe-c48e10e42321 Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
dc7ec756-221c-33c8-0afe-c48e10e42321
Regulatory Compliance 75b9db50-7906-2351-98ae-0458218609e5 Retain accounting of disclosures of information CMA_C1819 - Retain accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
75b9db50-7906-2351-98ae-0458218609e5
Regulatory Compliance 08c11b48-8745-034d-1c1b-a144feec73b9 Restrict use of open source software CMA_C1237 - Restrict use of open source software Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
08c11b48-8745-034d-1c1b-a144feec73b9
Regulatory Compliance e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9
Regulatory Compliance eff6e4a5-3efe-94dd-2ed1-25d56a019a82 Distribute policies and procedures CMA_0185 - Distribute policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
eff6e4a5-3efe-94dd-2ed1-25d56a019a82
Regulatory Compliance bbb2e6d6-085f-5a35-a55d-e45daad38933 Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
bbb2e6d6-085f-5a35-a55d-e45daad38933
Regulatory Compliance 44b71aa8-099d-8b97-1557-0e853ec38e0d Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
44b71aa8-099d-8b97-1557-0e853ec38e0d
Regulatory Compliance 56fb5173-3865-5a5d-5fad-ae33e53e1577 Address information security issues CMA_C1742 - Address information security issues Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
56fb5173-3865-5a5d-5fad-ae33e53e1577
Regulatory Compliance 70057208-70cc-7b31-3c3a-121af6bc1966 Secure commitment from leadership CMA_0489 - Secure commitment from leadership Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
70057208-70cc-7b31-3c3a-121af6bc1966
Regulatory Compliance e7422f08-65b4-50e4-3779-d793156e0079 Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e7422f08-65b4-50e4-3779-d793156e0079
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (4.0.0 > 5.0.0)
Regulatory Compliance b269a749-705e-8bff-055a-147744675cdf Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b269a749-705e-8bff-055a-147744675cdf
Regulatory Compliance b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (5.0.1 > 7.0.0)
Regulatory Compliance ff1efad2-6b09-54cc-01bf-d386c4d558a8 Secure the interface to external systems CMA_0491 - Secure the interface to external systems Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ff1efad2-6b09-54cc-01bf-d386c4d558a8
App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
08cf2974-d178-48a0-b26d-f6b8e555748b
Regulatory Compliance 69d90ee6-9f9f-262a-2038-d909fb4e5723 Identify spilled information CMA_0303 - Identify spilled information Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
69d90ee6-9f9f-262a-2038-d909fb4e5723
Regulatory Compliance 46ab2c5e-6654-1f58-8c83-e97a44f39308 Identify external service providers CMA_C1591 - Identify external service providers Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
46ab2c5e-6654-1f58-8c83-e97a44f39308
Regulatory Compliance 098dcde7-016a-06c3-0985-0daaf3301d3a Distribute authenticators CMA_0184 - Distribute authenticators Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
098dcde7-016a-06c3-0985-0daaf3301d3a
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (3.0.1 > 4.0.0)
Regulatory Compliance 68d2e478-3b19-23eb-1357-31b296547457 Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
68d2e478-3b19-23eb-1357-31b296547457
Regulatory Compliance 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
80029bc5-834f-3a9c-a2d8-acbc1aab4e9f
Regulatory Compliance f30edfad-4e1d-1eef-27ee-9292d6d89842 Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f30edfad-4e1d-1eef-27ee-9292d6d89842
Regulatory Compliance 834b7a4a-83ab-2188-1a26-9c5033d8173b Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
834b7a4a-83ab-2188-1a26-9c5033d8173b
Regulatory Compliance 13939f8c-4cd5-a6db-9af4-9dfec35e3722 Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
13939f8c-4cd5-a6db-9af4-9dfec35e3722
Regulatory Compliance ca6d7878-3189-1833-4620-6c7254ed1607 Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ca6d7878-3189-1833-4620-6c7254ed1607
Regulatory Compliance 03d550b4-34ee-03f4-515f-f2e2faf7a413 Review access control policies and procedures CMA_0457 - Review access control policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
03d550b4-34ee-03f4-515f-f2e2faf7a413
Regulatory Compliance bb048641-6017-7272-7772-a008f285a520 Develop spillage response procedures CMA_0162 - Develop spillage response procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
bb048641-6017-7272-7772-a008f285a520
Regulatory Compliance 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
10c3a1b1-29b0-a2d5-8f4c-a284b0f07830
Regulatory Compliance 0f31d98d-5ce2-705b-4aa5-b4f6705110dd Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0f31d98d-5ce2-705b-4aa5-b4f6705110dd
Regulatory Compliance 279052a0-8238-694d-9661-bf649f951747 Identify contaminated systems and components CMA_0300 - Identify contaminated systems and components Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
279052a0-8238-694d-9661-bf649f951747
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (6.2.1 > 7.0.0)
Regulatory Compliance 8b077bff-516f-3983-6c42-c86e9a11868b Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
8b077bff-516f-3983-6c42-c86e9a11868b
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Regulatory Compliance 015b4935-448a-8684-27c0-d13086356c33 Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
015b4935-448a-8684-27c0-d13086356c33
Regulatory Compliance ab02bb73-4ce1-89dd-3905-d93042809ba0 Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ab02bb73-4ce1-89dd-3905-d93042809ba0
Regulatory Compliance c7e8ddc1-14aa-1814-7fe1-aad1742b27da Enforce expiration of cached authenticators CMA_C1343 - Enforce expiration of cached authenticators Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
c7e8ddc1-14aa-1814-7fe1-aad1742b27da
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (7.0.0 > 8.0.0)
App Service cae7c12e-764b-4c87-841a-fdc6675d196f App Service app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
2022-09-19 17:41:40
cae7c12e-764b-4c87-841a-fdc6675d196f
Regulatory Compliance 22c16ae4-19d0-29cb-422f-cb44061180ee Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
22c16ae4-19d0-29cb-422f-cb44061180ee
Regulatory Compliance b4e19d22-8c0e-7cad-3219-c84c62dc250f Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b4e19d22-8c0e-7cad-3219-c84c62dc250f
Regulatory Compliance e9c60c37-65b0-2d72-6c3c-af66036203ae Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e9c60c37-65b0-2d72-6c3c-af66036203ae
Regulatory Compliance 311802f9-098d-0659-245a-94c5d47c0182 Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
311802f9-098d-0659-245a-94c5d47c0182
Regulatory Compliance dd2523d5-2db3-642b-a1cf-83ac973b32c2 Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
dd2523d5-2db3-642b-a1cf-83ac973b32c2
Regulatory Compliance 1fdf0b24-4043-3c55-357e-036985d50b52 Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1fdf0b24-4043-3c55-357e-036985d50b52
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance 178c8b7e-1b6e-4289-44dd-2f1526b678a1 Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
178c8b7e-1b6e-4289-44dd-2f1526b678a1
Regulatory Compliance b9d45adb-471b-56a5-64d2-5b241f126174 Automate privacy controls CMA_C1817 - Automate privacy controls Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b9d45adb-471b-56a5-64d2-5b241f126174
Regulatory Compliance 84a01872-5318-049e-061e-d56734183e84 Distribute information system documentation CMA_C1584 - Distribute information system documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
84a01872-5318-049e-061e-d56734183e84
Regulatory Compliance ca748dfe-3e28-1d18-4221-89aea30aa0a5 Identify status of individual users CMA_C1316 - Identify status of individual users Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ca748dfe-3e28-1d18-4221-89aea30aa0a5
Regulatory Compliance 4e45863d-9ea9-32b4-a204-2680bc6007a6 Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4e45863d-9ea9-32b4-a204-2680bc6007a6
Regulatory Compliance 20762f1e-85fb-31b0-a600-e833633f10fe Reveal error messages CMA_C1725 - Reveal error messages Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
20762f1e-85fb-31b0-a600-e833633f10fe
Regulatory Compliance d48a6f19-a284-6fc6-0623-3367a74d3f50 Update interconnection security agreements CMA_0519 - Update interconnection security agreements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d48a6f19-a284-6fc6-0623-3367a74d3f50
Regulatory Compliance 75b42dcf-7840-1271-260b-852273d7906e Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
75b42dcf-7840-1271-260b-852273d7906e
Regulatory Compliance 98e33927-8d7f-6d5f-44f5-2469b40b7215 Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
98e33927-8d7f-6d5f-44f5-2469b40b7215
Regulatory Compliance b544f797-a73b-1be3-6d01-6b1a085376bc Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b544f797-a73b-1be3-6d01-6b1a085376bc
Regulatory Compliance 59f7feff-02aa-6539-2cf7-bea75b762140 Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
59f7feff-02aa-6539-2cf7-bea75b762140
Regulatory Compliance 28aa060e-25c7-6121-05d8-a846f11433df Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
28aa060e-25c7-6121-05d8-a846f11433df
Regulatory Compliance 2af4640d-11a6-a64b-5ceb-a468f4341c0c Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
2af4640d-11a6-a64b-5ceb-a468f4341c0c
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance 5269d7e4-3768-501d-7e46-66c56c15622c Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
5269d7e4-3768-501d-7e46-66c56c15622c
App Service 25a5046c-c423-4805-9235-e844ae9ef49b Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
2022-09-19 17:41:40
25a5046c-c423-4805-9235-e844ae9ef49b
Regulatory Compliance dd6d00a8-701a-5935-a22b-c7b9c0c698b2 Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
dd6d00a8-701a-5935-a22b-c7b9c0c698b2
Regulatory Compliance f7eb1d0b-6d4f-2d59-1591-7563e11a9313 Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f7eb1d0b-6d4f-2d59-1591-7563e11a9313
App Service fd34e936-069e-4fe5-bac6-f7c9824caab6 App Service app slots should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
add
2022-09-19 17:41:40
fd34e936-069e-4fe5-bac6-f7c9824caab6
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (6.0.1 > 7.0.0)
Regulatory Compliance e4054c0e-1184-09e6-4c5e-701e0bc90f81 Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e4054c0e-1184-09e6-4c5e-701e0bc90f81
Regulatory Compliance a90c4d44-7fac-8e02-6d5b-0d92046b20e6 Automate flaw remediation CMA_0027 - Automate flaw remediation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a90c4d44-7fac-8e02-6d5b-0d92046b20e6
Regulatory Compliance db580551-0b3c-4ea1-8a4c-4cdb5feb340f Provide the logout capability CMA_C1055 - Provide the logout capability Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
db580551-0b3c-4ea1-8a4c-4cdb5feb340f
Regulatory Compliance f6da5cca-5795-60ff-49e1-4972567815fe Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f6da5cca-5795-60ff-49e1-4972567815fe
Regulatory Compliance b33d61c1-7463-7025-0ec0-a47585b59147 Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b33d61c1-7463-7025-0ec0-a47585b59147
Regulatory Compliance 3054c74b-9b45-2581-56cf-053a1a716c39 Accept assessment results CMA_C1150 - Accept assessment results Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3054c74b-9b45-2581-56cf-053a1a716c39
Regulatory Compliance 676c3c35-3c36-612c-9523-36d266a65000 Require developers to provide training CMA_C1611 - Require developers to provide training Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
676c3c35-3c36-612c-9523-36d266a65000
Regulatory Compliance 20012034-96f0-85c2-4a86-1ae1eb457802 Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
20012034-96f0-85c2-4a86-1ae1eb457802
Regulatory Compliance d9edcea6-6cb8-0266-a48c-2061fbac4310 Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d9edcea6-6cb8-0266-a48c-2061fbac4310
Regulatory Compliance 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
18e9d748-73d4-0c96-55ab-b108bfbd5bc3
Regulatory Compliance a30bd8e9-7064-312a-0e1f-e1b485d59f6e Review exploit protection events CMA_0472 - Review exploit protection events Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a30bd8e9-7064-312a-0e1f-e1b485d59f6e
Regulatory Compliance 449ebb52-945b-36e5-3446-af6f33770f8f Update the security authorization CMA_C1160 - Update the security authorization Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
449ebb52-945b-36e5-3446-af6f33770f8f
Regulatory Compliance eda0cbb7-6043-05bf-645b-67411f1a59b3 Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
eda0cbb7-6043-05bf-645b-67411f1a59b3
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
2022-09-19 17:41:40
Major (1.0.0 > 2.0.0)
Regulatory Compliance 95eb7d09-9937-5df9-11d9-20317e3f60df Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
95eb7d09-9937-5df9-11d9-20317e3f60df
Regulatory Compliance 81b6267b-97a7-9aa5-51ee-d2584a160424 Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
81b6267b-97a7-9aa5-51ee-d2584a160424
Regulatory Compliance 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
83eea3d3-0d2c-9ccd-1021-2111b29b2a62
Regulatory Compliance 6a379d74-903b-244a-4c44-838728bea6b0 Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
6a379d74-903b-244a-4c44-838728bea6b0
Regulatory Compliance 16c54e01-9e65-7524-7c33-beda48a75779 Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
16c54e01-9e65-7524-7c33-beda48a75779
Regulatory Compliance 06af77de-02ca-0f3e-838a-a9420fe466f5 Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
06af77de-02ca-0f3e-838a-a9420fe466f5
App Service dcbc65aa-59f3-4239-8978-3bb869d82604 App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Regulatory Compliance 57adc919-9dca-817c-8197-64d812070316 Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
57adc919-9dca-817c-8197-64d812070316
Regulatory Compliance cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2
Regulatory Compliance ced291b8-1d3d-7e27-40cf-829e9dd523c8 Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ced291b8-1d3d-7e27-40cf-829e9dd523c8
Regulatory Compliance e29a8f1b-149b-2fa3-969d-ebee1baa9472 Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e29a8f1b-149b-2fa3-969d-ebee1baa9472
Regulatory Compliance f131c8c5-a54a-4888-1efc-158928924bc1 Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
f131c8c5-a54a-4888-1efc-158928924bc1
Regulatory Compliance ef5a7059-6651-73b1-18b3-75b1b79c1565 Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ef5a7059-6651-73b1-18b3-75b1b79c1565
Regulatory Compliance 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb Document customer-defined actions CMA_C1582 - Document customer-defined actions Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb
Regulatory Compliance a28323fe-276d-3787-32d2-cef6395764c4 Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a28323fe-276d-3787-32d2-cef6395764c4
Regulatory Compliance 3eecf628-a1c8-1b48-1b5c-7ca781e97970 Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3eecf628-a1c8-1b48-1b5c-7ca781e97970
Regulatory Compliance 4c385143-09fd-3a34-790c-a5fd9ec77ddc Provide role-based security training CMA_C1094 - Provide role-based security training Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4c385143-09fd-3a34-790c-a5fd9ec77ddc
Regulatory Compliance de251b09-4a5e-1204-4bef-62ac58d47999 Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
de251b09-4a5e-1204-4bef-62ac58d47999
Regulatory Compliance b470a37a-7a47-3792-34dd-7a793140702e Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b470a37a-7a47-3792-34dd-7a793140702e
Regulatory Compliance 27ce30dd-3d56-8b54-6144-e26d9a37a541 Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
27ce30dd-3d56-8b54-6144-e26d9a37a541
Regulatory Compliance 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4
Regulatory Compliance 4b8fd5da-609b-33bf-9724-1c946285a14c Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4b8fd5da-609b-33bf-9724-1c946285a14c
Regulatory Compliance cdcb825f-a0fb-31f9-29c1-ab566718499a Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
cdcb825f-a0fb-31f9-29c1-ab566718499a
Regulatory Compliance 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
2d14ff7e-6ff9-838c-0cde-4962ccdb1689
Regulatory Compliance e1379836-3492-6395-451d-2f5062e14136 Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e1379836-3492-6395-451d-2f5062e14136
Regulatory Compliance db8b35d6-8adb-3f51-44ff-c648ab5b1530 Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
db8b35d6-8adb-3f51-44ff-c648ab5b1530
Regulatory Compliance d136ae80-54dd-321c-98b4-17acf4af2169 Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
d136ae80-54dd-321c-98b4-17acf4af2169
Regulatory Compliance 39999038-9ef1-602a-158c-ce2367185230 Define performance metrics CMA_0124 - Define performance metrics Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
39999038-9ef1-602a-158c-ce2367185230
Regulatory Compliance eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
eb8a8df9-521f-3ccd-7e2c-3d1fcc812340
Regulatory Compliance 92b94485-1c49-3350-9ada-dffe94f08e87 Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
92b94485-1c49-3350-9ada-dffe94f08e87
Regulatory Compliance 4edaca8c-0912-1ac5-9eaa-6a1057740fae Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4edaca8c-0912-1ac5-9eaa-6a1057740fae
Regulatory Compliance 0065241c-72e9-3b2c-556f-75de66332a94 Establish parameters for searching secret authenticators and verifiers CMA_0274 - Establish parameters for searching secret authenticators and verifiers Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
0065241c-72e9-3b2c-556f-75de66332a94
Regulatory Compliance a44c9fba-43f8-4b7b-7ee6-db52c96b4366 Facilitate information sharing CMA_0284 - Facilitate information sharing Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
a44c9fba-43f8-4b7b-7ee6-db52c96b4366
Regulatory Compliance 3f1216b0-30ee-1ac9-3899-63eb744e85f5 Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
3f1216b0-30ee-1ac9-3899-63eb744e85f5
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
2022-09-19 17:41:40
Major (1.0.2 > 2.0.0)
Regulatory Compliance 2067b904-9552-3259-0cdd-84468e284b7c Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
2067b904-9552-3259-0cdd-84468e284b7c
Regulatory Compliance b8587fce-138f-86e8-33a3-c60768bf1da6 Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
b8587fce-138f-86e8-33a3-c60768bf1da6
Regulatory Compliance 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
6c79c3e5-5f7b-a48a-5c7b-8c158bc01115
Regulatory Compliance 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68
Regulatory Compliance 8b333332-6efd-7c0d-5a9f-d1eb95105214 Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
8b333332-6efd-7c0d-5a9f-d1eb95105214
App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
2022-09-19 17:41:40
Major (2.0.0 > 3.0.0)
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (5.0.1 > 6.0.0)
Regulatory Compliance e7589f4e-1e8b-72c2-3692-1e14d7f3699f Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
e7589f4e-1e8b-72c2-3692-1e14d7f3699f
Regulatory Compliance 7ded6497-815d-6506-242b-e043e0273928 Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
7ded6497-815d-6506-242b-e043e0273928
Regulatory Compliance ffea18d9-13de-6505-37f3-4c1f88070ad7 Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
ffea18d9-13de-6505-37f3-4c1f88070ad7
App Service cf9ca02d-383e-4506-a421-258cc1a5300d Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
add
2022-09-19 17:41:40
cf9ca02d-383e-4506-a421-258cc1a5300d
Regulatory Compliance 611ebc63-8600-50b6-a0e3-fef272457132 Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
611ebc63-8600-50b6-a0e3-fef272457132
Regulatory Compliance 4012c2b7-4e0e-a7ab-1688-4aab43f14420 Map authenticated identities to individuals CMA_0372 - Map authenticated identities to individuals Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
4012c2b7-4e0e-a7ab-1688-4aab43f14420
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
2022-09-19 17:41:40
Major (4.0.1 > 5.0.0)
Regulatory Compliance 245fe58b-96f8-9f1e-48c5-7f49903f66fd Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
245fe58b-96f8-9f1e-48c5-7f49903f66fd
Regulatory Compliance 33d34fac-56a8-1c0f-0636-3ed94892a709 Govern the allocation of resources CMA_0293 - Govern the allocation of resources Default
Manual
Allowed
Manual, Disabled
add
2022-09-19 17:41:40
33d34fac-56a8-1c0f-0636-3ed94892a709
App Service 13bcff5d-f0eb-4ce7-913e-83ad6300376b Function app slots should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Def