| Category | Id | DisplayName | Description | Effect | Roles used | Subject | Details (UTC ymd) (i) |
|---|---|---|---|---|---|---|---|
| Machine Learning | 45e05259-1eb5-4f70-9574-baf73e9d219b | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default Audit Allowed Audit, Disabled |
add | 2023-03-17 18:44:06 45e05259-1eb5-4f70-9574-baf73e9d219b |
|
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-03-17 18:44:06 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) |
|
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change | 2023-03-17 18:44:06 Patch (2.0.0 > 2.0.1) |
|
| Container Instances | 21c469fa-a887-4363-88a9-60bfd6911a15 | Configure diagnostics for container group to log analytics workspace | Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. | Default Append Allowed Append, Disabled |
add | 2023-03-17 18:44:06 21c469fa-a887-4363-88a9-60bfd6911a15 |
|
| Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-03-17 18:44:06 Minor (3.0.0 > 3.1.0) |
|
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny |
change | 2023-03-17 18:44:06 Patch (1.0.1 > 1.0.2) |
|
| SignalR | 62a3ae95-8169-403e-a2d2-b82141448092 | Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
change | 2023-03-17 18:44:06 Minor (1.0.0 > 1.1.0) |
| SignalR | 21a9766a-82a5-4747-abb5-650b6dbba6d0 | Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-03-17 18:44:06 Minor (1.0.0 > 1.1.0) |
|
| Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | Windows machines should schedule Windows Defender to perform a scheduled scan every day to ensure that malware is quickly identified to minimize the effect this may have to the environment. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-03-17 18:44:06 Minor (1.0.0 > 1.1.0) |
|
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change | 2023-03-17 18:44:06 Patch (4.0.1 > 4.0.2) |
| Managed Grafana | bc33de80-97cd-4c11-b6b4-d075e03c7d60 | Configure Azure Managed Grafana dashboards with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add | 2023-03-10 18:58:56 bc33de80-97cd-4c11-b6b4-d075e03c7d60 |
| Backup | 04726aae-4e8d-427c-af7d-ecf56d490022 | [Preview]: Configure Azure Recovery Services vaults to disable public network access | Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add | 2023-03-10 18:58:56 04726aae-4e8d-427c-af7d-ecf56d490022 |
| Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-03-10 18:58:56 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 |
|
| Managed Grafana | 4c8537f8-cd1b-49ec-b704-18e82a42fd58 | Configure Azure Managed Grafana workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add | 2023-03-10 18:58:56 4c8537f8-cd1b-49ec-b704-18e82a42fd58 |
| Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-03-03 18:43:58 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
|
| Update Management Center | ba0df93e-e4ac-479a-aac2-134bbae39a1a | [Preview]: Schedule recurring updates using Update Management Center | You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2023-03-03 18:43:58 Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) |
| Kubernetes | a8e653d9-b5d4-48a0-afe6-14d881f9ee9a | Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed | Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Owner |
add | 2023-03-03 18:43:58 a8e653d9-b5d4-48a0-afe6-14d881f9ee9a |
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-03-03 18:43:58 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
|
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •User Access Administrator |
change | 2023-03-03 18:43:58 Minor (3.2.0 > 3.3.0) |
| Managed Grafana | e8775d5a-73b7-4977-a39b-833ef0114628 | Azure Managed Grafana workspaces should disable public network access | Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-27 19:03:54 e8775d5a-73b7-4977-a39b-833ef0114628 |
|
| Azure Data Explorer | 43bc7be6-5e69-4b0d-a2bb-e815557ca673 | Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-27 19:03:54 43bc7be6-5e69-4b0d-a2bb-e815557ca673 |
|
| Azure Data Explorer | f7735886-8927-431f-b201-c953922512b8 | Azure Data Explorer cluster should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. | Default Audit Allowed Audit, Disabled |
add | 2023-02-27 19:03:54 f7735886-8927-431f-b201-c953922512b8 |
|
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) |
| Azure Data Explorer | 7b32f193-cb28-4e15-9a98-b9556db0bafa | Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . | Default Modify Allowed Modify, Disabled |
count: 001 •SQL Server Contributor |
add | 2023-02-27 19:03:54 7b32f193-cb28-4e15-9a98-b9556db0bafa |
| Managed Grafana | 3a97e513-f75e-4230-8137-1efad4eadbbc | Azure Managed Grafana should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. | Default Audit Allowed Audit, Disabled |
add | 2023-02-27 19:03:54 3a97e513-f75e-4230-8137-1efad4eadbbc |
|
| Azure Data Explorer | 1fec9658-933f-4b3e-bc95-913ed22d012b | Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-27 19:03:54 1fec9658-933f-4b3e-bc95-913ed22d012b |
|
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) |
| Azure Data Explorer | a47272e1-1d5d-4b0b-b366-4873f1432fe0 | Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SQL Server Contributor |
add | 2023-02-27 19:03:54 a47272e1-1d5d-4b0b-b366-4873f1432fe0 |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) |
| Automanage | fb97d6e1-5c98-4743-a439-23e0977bad9e | [Preview]: Boot Diagnostics should be enabled on virtual machines | Azure virtual machines should have boot diagniostics enabled. | Default Audit Allowed Audit, Disabled |
add | 2023-02-27 19:03:54 fb97d6e1-5c98-4743-a439-23e0977bad9e |
|
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) |
|
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) |
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change | 2023-02-27 19:03:54 Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-27 19:03:54 Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) |
|
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-27 19:03:54 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) |
|
| Desktop Virtualization | 87ac3038-c07a-4b92-860d-29e270a4f3cd | Azure Virtual Desktop workspaces should disable public network access | Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-16 18:41:08 87ac3038-c07a-4b92-860d-29e270a4f3cd |
|
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-16 18:41:08 Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) |
|
| Desktop Virtualization | ce6ebf1d-0b94-4df9-9257-d8cacc238b4f | Configure Azure Virtual Desktop workspaces to disable public network access | Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Workspace Contributor |
add | 2023-02-16 18:41:08 ce6ebf1d-0b94-4df9-9257-d8cacc238b4f |
| Desktop Virtualization | 34804460-d88b-4922-a7ca-537165e060ed | Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add | 2023-02-16 18:41:08 34804460-d88b-4922-a7ca-537165e060ed |
| Desktop Virtualization | a22065a3-3b04-46ff-b84c-2d30e5c300d0 | Azure Virtual Desktop hostpools should disable public network access only on session hosts | Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-16 18:41:08 a22065a3-3b04-46ff-b84c-2d30e5c300d0 |
|
| Automanage | fd4726f4-a5fc-4540-912d-67c96fc992d5 | [Preview]: Automanage Configuration Profile Assignment should be Conformant | Resources managed by Automanage should have a status of Conformant or ConformantCorrected. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2023-02-16 18:41:08 fd4726f4-a5fc-4540-912d-67c96fc992d5 |
|
| Desktop Virtualization | e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 | Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add | 2023-02-16 18:41:08 e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 |
| Automanage | e4953962-5ae4-43eb-bb92-d66fd5563487 | [Preview]: A managed identity should be enabled on your machines | Resources managed by Automanage should have a managed identity. | Default Audit Allowed Audit, Disabled |
add | 2023-02-16 18:41:08 e4953962-5ae4-43eb-bb92-d66fd5563487 |
|
| Desktop Virtualization | 7b331e6b-6096-4395-a754-758a64505f19 | Configure Azure Virtual Desktop hostpools with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add | 2023-02-16 18:41:08 7b331e6b-6096-4395-a754-758a64505f19 |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-02-16 18:41:08 Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) |
|
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change | 2023-02-16 18:41:08 Minor (3.0.1 > 3.1.0) |
| Desktop Virtualization | 2a0913ff-51e7-47b8-97bb-ea17127f7c8d | Configure Azure Virtual Desktop hostpools to disable public network access | Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add | 2023-02-16 18:41:08 2a0913ff-51e7-47b8-97bb-ea17127f7c8d |
| Desktop Virtualization | c25dcf31-878f-4eba-98eb-0818fdc6a334 | Azure Virtual Desktop hostpools should disable public network access | Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-02-16 18:41:08 c25dcf31-878f-4eba-98eb-0818fdc6a334 |
|
| Desktop Virtualization | 02aa841c-42e8-492f-a43d-1f2c67e58d41 | Configure Azure Virtual Desktop workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add | 2023-02-16 18:41:08 02aa841c-42e8-492f-a43d-1f2c67e58d41 |
| Desktop Virtualization | ca950cd7-02f7-422e-8c23-91ff40f169c1 | Azure Virtual Desktop service should use private link | Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Disabled |
add | 2023-02-16 18:41:08 ca950cd7-02f7-422e-8c23-91ff40f169c1 |
|
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change | 2023-02-16 18:41:08 Minor (3.0.1 > 3.1.0) |
| Desktop Virtualization | 9427df23-0f42-4e1e-bf99-a6133d841c4a | Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add | 2023-02-16 18:41:08 9427df23-0f42-4e1e-bf99-a6133d841c4a |
| Monitoring | bf6af3d2-fbd5-458f-8a40-2556cf539b45 | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 bf6af3d2-fbd5-458f-8a40-2556cf539b45 |
| Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 792f8b74-dc05-44fd-b90d-340a097b80e6 |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change | 2023-02-10 18:41:56 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
| Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 dfbfceaa-14b2-4a90-a679-d169fa6a6a38 |
| Monitoring | 4b05de63-3ad2-4f6d-b421-da21f1328f3b | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 4b05de63-3ad2-4f6d-b421-da21f1328f3b |
| Monitoring | 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc |
| Monitoring | 03a087c0-b49f-4440-9ae5-013703eccc8c | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 03a087c0-b49f-4440-9ae5-013703eccc8c |
| Monitoring | 69ab8bfc-dc5b-443d-93a7-7531551dec66 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 69ab8bfc-dc5b-443d-93a7-7531551dec66 |
| Monitoring | 14e81583-c89c-47db-af0d-f9ddddcccd9f | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 14e81583-c89c-47db-af0d-f9ddddcccd9f |
| Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 b9b976cc-59ef-468a-807e-19afa2ebfd52 |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-02-10 18:41:56 Patch (2.0.0 > 2.0.1) |
|
| Monitoring | d147ba9f-3e17-40b1-9c23-3bca478ba804 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 d147ba9f-3e17-40b1-9c23-3bca478ba804 |
| Monitoring | 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d |
| Monitoring | f8352124-56fa-4f94-9441-425109cdc14b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f8352124-56fa-4f94-9441-425109cdc14b |
| Monitoring | 0e0c742d-5031-4e65-bf96-1bee7cf55740 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0e0c742d-5031-4e65-bf96-1bee7cf55740 |
| Monitoring | b4a9c220-1d62-4163-a17b-30db7d5b7278 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 b4a9c220-1d62-4163-a17b-30db7d5b7278 |
| Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 fc602c00-2ce3-4556-b615-fa4159517103 |
| Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 fc744b31-a930-4eb5-bc06-e81f98bf7214 |
| Monitoring | 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 |
| Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 ae48c709-d2b4-4fad-8c5c-838524130aa4 |
| Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 9e6aee71-3781-4acd-bba7-aac4fb067dfa |
| Monitoring | 0da6faeb-d6c6-4f6e-9f49-06277493270b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0da6faeb-d6c6-4f6e-9f49-06277493270b |
| Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 3d034ef2-001c-46f6-a47b-e6e4a74ff89b |
| Monitoring | 567c93f7-3661-494f-a30f-0a94d9bfebf8 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 567c93f7-3661-494f-a30f-0a94d9bfebf8 |
| Monitoring | 6b359d8f-f88d-4052-aa7c-32015963ecc1 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6b359d8f-f88d-4052-aa7c-32015963ecc1 |
| Monitoring | d3e11828-02c8-40d2-a518-ad01508bb4d7 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 d3e11828-02c8-40d2-a518-ad01508bb4d7 |
| Monitoring | b797045a-b3cd-46e4-adc4-bbadb3381d78 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 b797045a-b3cd-46e4-adc4-bbadb3381d78 |
| SQL | 146412e9-005c-472b-9e48-c87b72ac229e | An Azure Active Directory administrator should be provisioned for MySQL servers | Audit provisioning of an Azure Active Directory administrator for your MySQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2023-02-10 18:41:56 146412e9-005c-472b-9e48-c87b72ac229e |
|
| Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 480851ae-9ff3-49d1-904c-b5bd6f83f1ec |
| Monitoring | 818719e5-1338-4776-9a9d-3c31e4df5986 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 818719e5-1338-4776-9a9d-3c31e4df5986 |
| Monitoring | 441af8bf-7c88-4efc-bd24-b7be28d4acce | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 441af8bf-7c88-4efc-bd24-b7be28d4acce |
| Monitoring | 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b |
| Monitoring | 6567d3f3-42d0-4cfb-9606-9741ba60fa07 | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6567d3f3-42d0-4cfb-9606-9741ba60fa07 |
| Monitoring | 46b2dd5d-3936-4347-8908-b298ea4466d3 | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 46b2dd5d-3936-4347-8908-b298ea4466d3 |
| Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e |
| Monitoring | 6f3f5778-f809-4755-9d8f-bd5a5a7add85 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6f3f5778-f809-4755-9d8f-bd5a5a7add85 |
| Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 e488a548-7afd-43a7-a903-2a6dd36e7504 |
| Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0628b917-d4b4-4af5-bc2b-b4f87cd173ab |
| Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a853abad-dfa4-4bf5-aaa1-04cb10c02d23 |
| Monitoring | 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 |
| SQL | b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 | An Azure Active Directory administrator should be provisioned for PostgreSQL servers | Audit provisioning of an Azure Active Directory administrator for your PostgreSQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2023-02-10 18:41:56 b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 |
|
| Update Management Center | ba0df93e-e4ac-479a-aac2-134bbae39a1a | [Preview]: Schedule recurring updates using Update Management Center | You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2023-02-10 18:41:56 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) |
| Monitoring | 20f21bc7-b0b8-4d57-83df-5a8a0912b934 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 20f21bc7-b0b8-4d57-83df-5a8a0912b934 |
| Monitoring | 1513498c-3091-461a-b321-e9b433218d28 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 1513498c-3091-461a-b321-e9b433218d28 |
| Monitoring | aec4c33f-2f2a-4fd3-91cd-24a939513c60 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 aec4c33f-2f2a-4fd3-91cd-24a939513c60 |
| Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 71153be3-4742-4aae-9aec-150f7589311b |
| Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f5094957-e0f7-4af2-9e14-13d60141dc4a |
| Monitoring | 614d9fbd-68cd-4832-96db-3362069661b2 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 614d9fbd-68cd-4832-96db-3362069661b2 |
| Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 1abe42e1-a726-4dee-94c2-79f364dac9b7 |
| Monitoring | 34c7546c-d637-4b5d-96ab-93fb6ed07af8 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 34c7546c-d637-4b5d-96ab-93fb6ed07af8 |
| Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 8d253bba-a338-4fd9-9752-6b6edadca1eb |
| Monitoring | 8656d368-0643-4374-a63f-ae0ed4da1d9a | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 8656d368-0643-4374-a63f-ae0ed4da1d9a |
| Monitoring | cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 | Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 |
| Monitoring | 56288eb2-4350-461d-9ece-2bb242269dce | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 56288eb2-4350-461d-9ece-2bb242269dce |
| Monitoring | e9c56c41-d453-4a80-af93-2331afeb3d82 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 e9c56c41-d453-4a80-af93-2331afeb3d82 |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change | 2023-02-10 18:41:56 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) |
| Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 eb5a4c26-04cb-4ab1-81cb-726dc58df772 |
| Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 9ba29e83-863d-4fec-81d0-16dd87067cc3 |
| Monitoring | 0925a080-ab8d-44a1-a39c-61e184b4d8f9 | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0925a080-ab8d-44a1-a39c-61e184b4d8f9 |
| Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6b2899d8-5fdf-4ade-ba59-f1f82664877b |
| Monitoring | 3496f6fd-57ba-485c-8a14-183c4493b781 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 3496f6fd-57ba-485c-8a14-183c4493b781 |
| Monitoring | 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 |
| Monitoring | 3dd58519-427e-42a4-8ffc-e415a3c716f1 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 3dd58519-427e-42a4-8ffc-e415a3c716f1 |
| Monitoring | 39741c6f-5e8b-4511-bba4-6662d0e0e2ac | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 39741c6f-5e8b-4511-bba4-6662d0e0e2ac |
| Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 76539a09-021e-4300-953b-4c6018ac26dc |
| Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 e7c86682-34c1-488a-9aab-9cb279207992 |
| Monitoring | 55d1f543-d1b0-4811-9663-d6d0dbc6326d | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 55d1f543-d1b0-4811-9663-d6d0dbc6326d |
| Monitoring | 9f4e810a-899e-4e5e-8174-abfcf15739a3 | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 9f4e810a-899e-4e5e-8174-abfcf15739a3 |
| Monitoring | 93a604fe-0ec2-4a99-ab8c-7ef08f05555a | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 93a604fe-0ec2-4a99-ab8c-7ef08f05555a |
| Monitoring | fe85de62-a656-4b79-9d94-d95c89319bd9 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 fe85de62-a656-4b79-9d94-d95c89319bd9 |
| Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 d9f11fea-dd45-46aa-8908-b7a146f1e543 |
| Monitoring | b90ec596-faa6-4c61-9515-34085703e260 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 b90ec596-faa6-4c61-9515-34085703e260 |
| Monitoring | 07c818eb-df75-4465-9233-6a8667e86670 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 07c818eb-df75-4465-9233-6a8667e86670 |
| Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db |
| Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d |
| Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a142867f-3142-4ac6-b952-ab950a29fca5 |
| Monitoring | 94d707a8-ce27-4851-9ce2-07dfe96a095b | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 94d707a8-ce27-4851-9ce2-07dfe96a095b |
| Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 |
| Monitoring | 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b |
| Monitoring | f969646f-b6b8-45a0-b736-bf9b4bb933dc | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f969646f-b6b8-45a0-b736-bf9b4bb933dc |
| Monitoring | 50cebe4c-8021-4f07-bcb2-6c80622444a9 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 50cebe4c-8021-4f07-bcb2-6c80622444a9 |
| Monitoring | 00ec9865-beb6-4cfd-82ed-bd8f50756acd | Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 00ec9865-beb6-4cfd-82ed-bd8f50756acd |
| Monitoring | f873a711-0322-4744-8322-7e62950fbec2 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f873a711-0322-4744-8322-7e62950fbec2 |
| Monitoring | a8de4d0a-d637-4684-b70e-6df73b74d117 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a8de4d0a-d637-4684-b70e-6df73b74d117 |
| Monitoring | be9259e2-a221-4411-84fd-dd22c6691653 | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 be9259e2-a221-4411-84fd-dd22c6691653 |
| Monitoring | 69214fad-6742-49a9-8f71-ee9d269364ab | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 69214fad-6742-49a9-8f71-ee9d269364ab |
| Monitoring | ed6ae75a-828f-4fea-88fd-dead1145f1dd | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 ed6ae75a-828f-4fea-88fd-dead1145f1dd |
| Monitoring | 106cd3bd-50a1-466c-869f-f9c2d310477b | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 106cd3bd-50a1-466c-869f-f9c2d310477b |
| Monitoring | 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 |
| Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a81eb966-6696-46b1-9153-bed01569a7d0 |
| Monitoring | 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 |
| Monitoring | e20f31d7-6b6d-4644-962a-ae513a85ab0b | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 e20f31d7-6b6d-4644-962a-ae513a85ab0b |
| Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change | 2023-02-10 18:41:56 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) |
| Monitoring | f08edf17-5de2-4966-8c62-a50a3f4368ff | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f08edf17-5de2-4966-8c62-a50a3f4368ff |
| Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a285df35-0164-4f4d-9e04-c39056742c55 |
| Monitoring | fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb |
| Monitoring | fc66c506-9397-485e-9451-acc1525f0070 | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 fc66c506-9397-485e-9451-acc1525f0070 |
| Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 3a8ff864-d881-44ce-bed3-0c63ede634cb |
| Monitoring | edf35972-ed56-4c2f-a4a1-65f0471ba702 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 edf35972-ed56-4c2f-a4a1-65f0471ba702 |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny |
change | 2023-02-10 18:41:56 Patch (1.0.1 > 1.0.2) |
|
| Monitoring | b88bfd90-4da5-43eb-936f-ae1481924291 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 b88bfd90-4da5-43eb-936f-ae1481924291 |
| Monitoring | 90c90eda-bfe7-4c67-bf26-410420ed1047 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 90c90eda-bfe7-4c67-bf26-410420ed1047 |
| Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 f6d5d5d5-0fa9-4257-b820-69c35016c973 |
| Monitoring | 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 |
| Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 a9ebdeda-251a-4311-92be-5167d73b1682 |
| Monitoring | c3b912c2-7f5b-47ac-bd52-8c85a7667961 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add | 2023-02-10 18:41:56 c3b912c2-7f5b-47ac-bd52-8c85a7667961 |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2023-02-03 18:39:01 Minor (2.1.0 > 2.2.0) |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2023-02-03 18:39:01 Minor (2.0.0 > 2.1.0) |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2023-02-03 18:39:01 Minor (2.1.0 > 2.2.0) |
| Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-02-03 18:39:01 Minor (1.0.1 > 1.2.1) |
|
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-03 18:39:01 Minor (1.0.1 > 1.1.0) |
|
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2023-02-03 18:39:01 Minor (4.0.0 > 4.1.0) |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2023-02-03 18:39:01 Minor (6.0.0 > 6.1.0) |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-02-03 18:39:01 Minor (1.0.1 > 1.1.0) |
|
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2023-02-03 18:39:01 Minor (2.0.0 > 2.1.0) |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-27 18:40:07 Patch (3.0.0 > 3.0.1) |
|
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2023-01-27 18:40:07 Minor (1.1.0 > 1.2.0) |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2023-01-27 18:40:07 Minor (1.1.0 > 1.2.0) |
| API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Default Audit Allowed Audit, Disabled, Deny |
change | 2023-01-27 18:40:07 Minor (1.0.0 > 1.1.0) |
|
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed deployIfNotExists |
count: 001 •Contributor |
change | 2023-01-27 18:40:07 Minor (1.0.1 > 1.1.0) |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •User Access Administrator |
change | 2023-01-27 18:40:07 Minor (3.1.0 > 3.2.0) |
| Key Vault | 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 | [Preview]: Azure Key Vault should use RBAC permission model | Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-01-27 18:40:07 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 |
|
| Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2023-01-23 18:07:09 Patch (3.0.0 > 3.0.1) |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-01-23 18:07:09 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
|
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change | 2023-01-23 18:07:09 Patch, old suffix: preview (1.0.0-preview > 1.0.1) |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-23 18:07:09 Minor (2.0.0 > 2.1.0) |
|
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change | 2023-01-23 18:07:09 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Backup | 2514263b-bc0d-4b06-ac3e-f262c0979018 | [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
add | 2023-01-23 18:07:09 2514263b-bc0d-4b06-ac3e-f262c0979018 |
|
| Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-23 18:07:09 Patch, old suffix: preview (1.0.0-preview > 1.0.1) |
|
| Key Vault | 9d4fad1f-5189-4a42-b29e-cf7929c6b6df | Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Key Vault Contributor •Network Contributor |
change | 2023-01-23 18:07:09 Patch, old suffix: preview (1.0.0-preview > 1.0.1) |
| Backup | 9798d31d-6028-4dee-8643-46102185c016 | [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Default Audit Allowed Audit, Disabled |
add | 2023-01-23 18:07:09 9798d31d-6028-4dee-8643-46102185c016 |
|
| Web PubSub | b66ab71c-582d-4330-adfd-ac162e78691e | Azure Web PubSub Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-01-13 18:06:06 b66ab71c-582d-4330-adfd-ac162e78691e |
|
| Event Hub | 0602787f-9896-402a-a6e1-39ee63ee435e | Event Hub Namespaces should disable public network access | Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-01-13 18:06:06 0602787f-9896-402a-a6e1-39ee63ee435e |
|
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change | 2023-01-13 18:06:06 Patch (4.0.0 > 4.0.1) |
| Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) |
|
| Backup | 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 | [Preview]: Azure Recovery Services vaults should disable public network access | Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Audit Allowed Audit, Deny, Disabled |
add | 2023-01-13 18:06:06 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 |
|
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use the latest 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-01-13 18:06:06 Minor (3.0.0 > 3.1.0) |
|
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows web servers should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-01-13 18:06:06 Minor (4.0.0 > 4.1.0) |
|
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) |
|
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change | 2023-01-13 18:06:06 Minor (9.0.0 > 9.1.0) |
| Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
|
| Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
|
| Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change | 2023-01-13 18:06:06 Patch (1.0.0 > 1.0.1) |
| Update Management Center | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2023-01-13 18:06:06 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) |
| Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) |
|
| Service Bus | cbd11fd3-3002-4907-b6c8-579f0e700e13 | Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Minor (1.0.0 > 1.1.0) |
|
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0) |
|
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change | 2023-01-13 18:06:06 Minor (9.0.0 > 9.1.0) |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change | 2023-01-13 18:06:06 Minor (9.0.0 > 9.1.0) |
| Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | [Preview]: Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2023-01-13 18:06:06 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) |
|
| Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
|
| Web PubSub | 17f9d984-90c8-43dd-b7a6-76cb694815c1 | Configure Azure Web PubSub Service to disable local authentication | Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add | 2023-01-13 18:06:06 17f9d984-90c8-43dd-b7a6-76cb694815c1 |
| Machine Learning | ee40564d-486e-4f68-a5ca-7a621edae0fb | Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change | 2023-01-13 18:06:06 Minor (1.0.0 > 1.1.0) |
| Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
|
| Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) |
|
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change | 2023-01-13 18:06:06 Minor (9.0.0 > 9.1.0) |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL DB Contributor |
change | 2023-01-13 18:06:06 Minor (2.1.0 > 2.2.0) |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Preview]: Configure Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change | 2023-01-13 18:06:06 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) |
| Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | [Preview]: Audit Azure Machine Learning Compute Instances with an outdated operating system | Compute instances are non-compliant if the instance has an outdated operating system version. For more information, visit http://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
add | 2023-01-13 18:06:06 f110a506-2dcb-422e-bcea-d533fc8c35e2 |
|
| Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default Audit Allowed Audit, Deny, Disabled |
change | 2023-01-13 18:06:06 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) |
|
| General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default Audit Allowed Audit, Disabled |
change | 2023-01-13 18:06:06 Patch (1.0.0 > 1.0.1) |
|
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change | 2023-01-04 18:03:56 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change | 2023-01-04 18:03:56 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | 221aac80-54d8-484b-83d7-24f4feac2ce0 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| ChangeTrackingAndInventory | 8fd85785-1547-4a4a-bf90-d5483c9571c5 | [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 8fd85785-1547-4a4a-bf90-d5483c9571c5 |
| Security Center | 8893442c-e7cb-4637-bab8-299a5d4ed96a | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspace should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-12-21 17:43:51 138ff14d-b687-4faa-a81c-898c91a87fa2 |
|
| Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Clusters that are part of Azure Databricks Workspaces should disable public IP | Clusters part of Azure Databricks Workspaces should have public IP disabled. Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the resource isn't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-12-21 17:43:51 51c1490f-3319-459c-bbbc-7f391bbed753 |
|
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change | 2022-12-21 17:43:51 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | e71c1e29-9c76-4532-8c4b-cb0573b0014c | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (1.0.1 > 2.0.0) |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add | 2022-12-21 17:43:51 09a1f130-7697-42bc-8d84-8a9ea17e5187 |
| ChangeTrackingAndInventory | ef9fe2ce-a588-4edd-829c-6247069dcfdb | [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 ef9fe2ce-a588-4edd-829c-6247069dcfdb |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add | 2022-12-21 17:43:51 cd22fc48-f2c9-4b86-98d3-ec1268b46a8a |
| Update Management Center | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | [Preview]: Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-12-21 17:43:51 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
|
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d00 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
|
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (2.0.1-preview > 3.0.0-preview) |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (3.0.0 > 4.0.0) |
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| ChangeTrackingAndInventory | a7acfae7-9497-4a3f-a3b5-a16a50abbe2f | [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add | 2022-12-21 17:43:51 a7acfae7-9497-4a3f-a3b5-a16a50abbe2f |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Patch (4.0.0 > 4.0.1) |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (2.0.0 > 3.0.0) |
| Update Management Center | 59efceea-0c96-497e-a4a1-4eb2290dac15 | [Preview]: Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Machine Learning | afe0c3be-ba3b-4544-ba52-0c99672a8ad6 | Resource logs in Azure Machine Learning workspace should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-12-21 17:43:51 afe0c3be-ba3b-4544-ba52-0c99672a8ad6 |
|
| App Service | 801543d1-1953-4a90-b8b0-8cf6d41473a5 | App Service apps should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-12-21 17:43:51 801543d1-1953-4a90-b8b0-8cf6d41473a5 |
|
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5192 | [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 09a1f130-7697-42bc-8d84-8a9ea17e5192 |
| App Service | f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 | App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-12-21 17:43:51 f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 |
|
| Update Management Center | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (2.0.0 > 3.0.0) |
| Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspace to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspace to stream resource logs to a Log Analytics workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (2.1.1-preview > 3.0.0-preview) |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change | 2022-12-21 17:43:51 Patch (2.0.0 > 2.0.1) |
|
| Guest Configuration | 5fe81c49-16b6-4870-9cee-45d13bf902ce | Local authentication methods should be disabled on Windows Servers | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-12-21 17:43:51 5fe81c49-16b6-4870-9cee-45d13bf902ce |
|
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (3.0.0 > 4.0.0) |
| ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add | 2022-12-21 17:43:51 ad1eeff9-20d7-4c82-a04e-903acab0bfc1 |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) |
| ChangeTrackingAndInventory | 4485d24b-a9d3-4206-b691-1fad83bc5007 | [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add | 2022-12-21 17:43:51 4485d24b-a9d3-4206-b691-1fad83bc5007 |
| ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add | 2022-12-21 17:43:51 b73e81f3-6303-48ad-9822-b69fc00c15ef |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (1.0.1 > 2.0.0) |
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| ChangeTrackingAndInventory | 1142b015-2bd7-41e0-8645-a531afe09a1e | [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 1142b015-2bd7-41e0-8645-a531afe09a1e |
| ChangeTrackingAndInventory | bef2d677-e829-492d-9a3d-f5a20fda818f | [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 bef2d677-e829-492d-9a3d-f5a20fda818f |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (5.0.0 > 6.0.0) |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add | 2022-12-21 17:43:51 fad40cac-a972-4db0-b204-f1b15cced89a |
| ChangeTrackingAndInventory | b6faa975-0add-4f35-8d1c-70bba45c4424 | [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 b6faa975-0add-4f35-8d1c-70bba45c4424 |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Kubernetes | c5110b6e-5272-4989-9935-59ad06fdf341 | Azure Kubernetes Clusters should enable Container Storage Interface(CSI) | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Disabled |
add | 2022-12-21 17:43:51 c5110b6e-5272-4989-9935-59ad06fdf341 |
|
| App Service | 5747353b-1ca9-42c1-a4dd-b874b894f3d4 | App Service app slots should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-12-21 17:43:51 5747353b-1ca9-42c1-a4dd-b874b894f3d4 |
|
| ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add | 2022-12-21 17:43:51 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 |
| App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-21 17:43:51 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
|
| Update Management Center | ba0df93e-e4ac-479a-aac2-134bbae39a1a | [Preview]: Schedule recurring updates using Update Management Center | You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Machine Learning | f59276f0-5740-4aaf-821d-45d185aa210e | Configure diagnostic settings for Azure Machine Learning workspace to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning workspace to stream resource logs to a Log Analytics workspace when any Azure Machine Learning workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add | 2022-12-21 17:43:51 f59276f0-5740-4aaf-821d-45d185aa210e |
| Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
change | 2022-12-21 17:43:51 Patch (1.0.0 > 1.0.1) |
|
| App Service | a691eacb-474d-47e4-b287-b4813ca44222 | App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-12-21 17:43:51 a691eacb-474d-47e4-b287-b4813ca44222 |
|
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Patch (4.0.0 > 4.0.1) |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-12-21 17:43:51 Major (3.0.0 > 4.0.0) |
| Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed deployIfNotExists |
count: 002 •Monitoring Contributor •Storage Account Contributor |
change | 2022-12-09 17:45:23 Patch (2.0.0 > 2.0.1) |
| SQL | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-12-09 17:45:23 Major (2.0.0 > 3.0.0) |
|
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-11-04 17:41:52 Major (1.1.0 > 2.0.0) |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-11-04 17:41:52 Major (1.1.0 > 2.0.0) |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-11-04 17:41:52 Patch (3.0.0 > 3.0.1) |
|
| Security Center | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-11-04 17:41:52 1f90fc71-a595-4066-8974-d4d0802e8ef0 |
|
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-11-04 17:41:52 Major (2.1.0 > 3.0.0) |
| Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add | 2022-11-04 17:41:52 689f7782-ef2c-4270-a6d0-7664869076bd |
| Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Machine Learning computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-28 16:42:53 Major (1.0.0 > 2.0.0) |
|
| Automation | dea83a72-443c-4292-83d5-54a2f98749c0 | Automation Account should have Managed Identity | Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . | Default Audit Allowed Audit, Disabled |
add | 2022-10-28 16:42:53 dea83a72-443c-4292-83d5-54a2f98749c0 |
|
| Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
add | 2022-10-28 16:42:53 938c4981-c2c9-4168-9cd6-972b8675f906 |
|
| Update Management Center | ba0df93e-e4ac-479a-aac2-134bbae39a1a | [Preview]: Schedule recurring updates using Update Management Center | You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-10-28 16:42:53 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Machine Learning computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change | 2022-10-28 16:42:53 Major (1.0.0 > 2.0.0) |
| Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-10-28 16:42:53 5485eac0-7e8f-4964-998b-a44f4f0c1e75 |
|
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (2.0.0 > 2.0.1) |
|
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (2.0.0 > 2.0.1) |
|
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change | 2022-10-21 16:42:13 Major (4.0.0 > 5.0.0) |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (4.0.0 > 4.0.1) |
|
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (8.0.0 > 8.0.1) |
|
| Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Azure Active Directory integration | AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default Audit Allowed Audit, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-10-21 16:42:13 Major (3.0.0 > 4.0.0) |
| Monitoring | 8a04f872-51e9-4313-97fb-fc1c3543011c | Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-21 16:42:13 8a04f872-51e9-4313-97fb-fc1c3543011c |
|
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-10-21 16:42:13 Major (3.0.0 > 4.0.0) |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (9.0.0 > 9.0.1) |
|
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (3.0.0 > 3.0.1) |
|
| Kubernetes | 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-10-21 16:42:13 Patch, suffix changed: new suffix: deprecated; old suffix: version (4.1.0-version-deprecated > 4.1.1-deprecated) |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (9.0.0 > 9.0.1) |
|
| Regulatory Compliance | 62fa14f0-4cbe-762d-5469-0899a99b98aa | Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (7.0.0 > 7.0.1) |
|
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-10-21 16:42:13 Major (3.0.0 > 4.0.0) |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (7.0.0 > 7.0.1) |
|
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (2.0.0 > 2.0.1) |
|
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •User Access Administrator |
change | 2022-10-21 16:42:13 Minor (3.0.0 > 3.1.0) |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (8.0.0 > 8.0.1) |
|
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | [Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-10-21 16:42:13 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Kubernetes | da6e2401-19da-4532-9141-fb8fbde08431 | Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Default Audit Allowed Audit, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (9.0.0 > 9.0.1) |
|
| Monitoring | 8a04f872-51e9-4313-97fb-fc1c35430fd8 | Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-21 16:42:13 8a04f872-51e9-4313-97fb-fc1c35430fd8 |
|
| Update Management Center | 59efceea-0c96-497e-a4a1-4eb2290dac15 | [Preview]: Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change | 2022-10-21 16:42:13 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-10-21 16:42:13 Minor (2.2.0 > 2.3.0) |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (2.0.0 > 2.0.1) |
|
| Regulatory Compliance | e3905a3c-97e7-0b4f-15fb-465c0927536f | Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) |
|
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (4.0.0 > 4.0.1) |
|
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Update Management Center | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | [Preview]: Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (5.0.0 > 5.0.1) |
|
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (3.0.0 > 3.0.1) |
|
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (6.0.0 > 6.0.1) |
|
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change | 2022-10-21 16:42:13 Major (4.0.0 > 5.0.0) |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
|
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change | 2022-10-21 16:42:13 Minor (1.2.0 > 1.3.0) |
| Regulatory Compliance | f33c3238-11d2-508c-877c-4262ec1132e1 | Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 89f2d532-c53c-4f8f-9afa-4927b1114a0d | Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Default Audit Allowed Audit, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (7.0.0 > 7.0.1) |
|
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (7.0.0 > 7.0.1) |
|
| Kubernetes | 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Kubernetes | 46238e2f-3f6f-4589-9f3f-77bed4116e67 | Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni | Default Audit Allowed Audit, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (8.0.0 > 8.0.1) |
|
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | [Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change | 2022-10-21 16:42:13 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Regulatory Compliance | a3e98638-51d4-4e28-910a-60e98c1a756f | Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change | 2022-10-21 16:42:13 Patch (2.0.0 > 2.0.1) |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (8.0.0 > 8.0.1) |
|
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-10-21 16:42:13 Patch (7.0.0 > 7.0.1) |
|
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change | 2022-10-21 16:42:13 Patch (1.1.0 > 1.1.1) |
|
| Kubernetes | 41425d9f-d1a5-499a-9932-f8ed8453932c | Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
|
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-10-21 16:42:13 Major (3.0.0 > 4.0.0) |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-21 16:42:13 Patch (3.0.0 > 3.0.1) |
|
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change | 2022-10-21 16:42:13 Patch (1.0.0 > 1.0.1) |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-10-21 16:42:13 Major (3.0.0 > 4.0.0) |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change | 2022-10-21 16:42:13 Patch (3.0.0 > 3.0.1) |
|
| Guest Configuration | 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 | [Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-14 16:34:37 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 |
|
| App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-14 16:34:37 Major (2.0.0 > 3.0.0) |
|
| Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change | 2022-10-07 16:34:28 Minor (1.0.0 > 1.2.0) |
| App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 fa3a6357-c6d6-4120-8429-855577ec0063 |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change | 2022-10-07 16:34:28 Major (3.0.0 > 4.0.0) |
|
| Synapse | 8b5c654c-fb07-471b-aa8f-15fea733f140 | Configure Azure Synapse Workspace Dedicated SQL minimum TLS version | Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change | 2022-10-07 16:34:28 Minor (1.0.0 > 1.1.0) |
| App Service | 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba | App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add | 2022-10-07 16:34:28 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba |
|
| App Service | 2374605e-3e0b-492b-9046-229af202562c | Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 2374605e-3e0b-492b-9046-229af202562c |
| App Service | 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 | Function app slots should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add | 2022-10-07 16:34:28 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 |
|
| App Service | cd794351-e536-40f4-9750-503a463d8cad | Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 cd794351-e536-40f4-9750-503a463d8cad |
| App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 014664e7-e348-41a3-aeb9-566e4ff6a9df |
| App Service | 242222f3-4985-4e99-b5ef-086d6a6cb01c | Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 242222f3-4985-4e99-b5ef-086d6a6cb01c |
| App Service | 89691ef9-8c50-49a8-8950-9c7fba41699e | Function app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 89691ef9-8c50-49a8-8950-9c7fba41699e |
|
| App Service | 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 | Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
|
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •User Access Administrator |
change | 2022-10-07 16:34:28 Major (2.1.0 > 3.0.0) |
| Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Azure Connected Machine Resource Administrator •Kubernetes Cluster - Azure Arc Onboarding •Network Contributor |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
| App Service | 4a15c15f-90d5-4a1f-8b63-2903944963fd | App Service app slots should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 4a15c15f-90d5-4a1f-8b63-2903944963fd |
|
| App Service | 701a595d-38fb-4a66-ae6d-fb3735217622 | App Service app slots should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add | 2022-10-07 16:34:28 701a595d-38fb-4a66-ae6d-fb3735217622 |
|
| Synapse | 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 | Synapse Workspaces should use only Azure Active Directory identities for authentication | Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-10-07 16:34:28 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 |
|
| App Service | d639b3af-a535-4bef-8dcf-15078cddf5e2 | App Service app slots should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 d639b3af-a535-4bef-8dcf-15078cddf5e2 |
|
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-07 16:34:28 Patch (4.0.0 > 4.0.1) |
|
| Health Data Services workspace | 64528841-2f92-43f6-a137-d52e5c3dbeac | Azure Health Data Services workspace should use private link | Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink. | Default Audit Allowed Audit, Disabled |
add | 2022-10-07 16:34:28 64528841-2f92-43f6-a137-d52e5c3dbeac |
|
| App Service | ae1b9a8c-dfce-4605-bd91-69213b4a26fc | App Service app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
|
| App Service | 81dff7c0-4020-4b58-955d-c076a2136b56 | [Deprecated]: Configure App Services to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
| App Service | 4dcfb8b5-05cd-4090-a931-2ec29057e1fc | App Service app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 4dcfb8b5-05cd-4090-a931-2ec29057e1fc |
|
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change | 2022-10-07 16:34:28 Major (4.0.0 > 5.0.0) |
|
| App Service | 0f98368e-36bc-4716-8ac2-8f8067203b63 | Configure App Service apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
| Kubernetes | dbbdc317-9734-4dd8-9074-993b29c69008 | Azure Kubernetes Clusters should enable Key Management Service (KMS) | Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. | Default Audit Allowed Audit, Disabled |
add | 2022-10-07 16:34:28 dbbdc317-9734-4dd8-9074-993b29c69008 |
|
| App Service | a08ae1ab-8d1d-422b-a123-df82b307ba61 | App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 a08ae1ab-8d1d-422b-a123-df82b307ba61 |
|
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | [Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-10-07 16:34:28 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) |
| Azure Arc | 12e7176a-4919-47ef-922b-34eda4c7f0ce | Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-10-07 16:34:28 12e7176a-4919-47ef-922b-34eda4c7f0ce |
|
| App Service | 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 | [Deprecated]: App Services should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-10-07 16:34:28 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
|
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-10-07 16:34:28 Major (3.0.0 > 4.0.0) |
|
| Synapse | cb3738a6-82a2-4a18-b87b-15217b9deff4 | Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-10-07 16:34:28 Minor (1.0.0 > 1.1.0) |
|
| App Service | 969ac98b-88a8-449f-883c-2e9adb123127 | Function apps should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add | 2022-10-07 16:34:28 969ac98b-88a8-449f-883c-2e9adb123127 |
|
| App Service | 4ee5b817-627a-435a-8932-116193268172 | App Service app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 4ee5b817-627a-435a-8932-116193268172 |
|
| Azure Arc | 4002015b-1272-4dfb-8943-fed4aeec39b6 | Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Kubernetes Cluster - Azure Arc Onboarding |
add | 2022-10-07 16:34:28 4002015b-1272-4dfb-8943-fed4aeec39b6 |
| App Service | deb528de-8f89-4101-881c-595899253102 | Function app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 deb528de-8f89-4101-881c-595899253102 |
|
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-10-07 16:34:28 Patch (2.0.0 > 2.0.1) |
|
| App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Patch (1.0.0 > 1.0.1) |
| App Service | a096cbd0-4693-432f-9374-682f485f23f3 | Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | [Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change | 2022-10-07 16:34:28 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) |
| App Service | fa98f1b1-1f56-4179-9faf-93ad82f3458f | Function app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 fa98f1b1-1f56-4179-9faf-93ad82f3458f |
|
| App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Patch (1.0.0 > 1.0.1) |
| App Service | 08cf2974-d178-48a0-b26d-f6b8e555748b | Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
| Synapse | c3624673-d2ff-48e0-b28c-5de1c6767c3c | Configure Synapse Workspaces to use only Azure Active Directory identities for authentication | Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add | 2022-10-07 16:34:28 c3624673-d2ff-48e0-b28c-5de1c6767c3c |
| App Service | cca5adfe-626b-4cc6-8522-f5b6ed2391bd | Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 cca5adfe-626b-4cc6-8522-f5b6ed2391bd |
| App Service | 70adbb40-e092-42d5-a6f8-71c540a5efdb | Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 70adbb40-e092-42d5-a6f8-71c540a5efdb |
| App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-10-07 16:34:28 ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd |
|
| App Service | c6c3e00e-d414-4ca4-914f-406699bb8eee | Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-10-07 16:34:28 c6c3e00e-d414-4ca4-914f-406699bb8eee |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-10-07 16:34:28 Patch (2.0.0 > 2.0.1) |
|
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-10-07 16:34:28 Major (3.0.0 > 4.0.0) |
|
| App Service | a18c77f2-3d6d-497a-9f61-849a7e8a3b79 | Configure App Service app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change | 2022-10-07 16:34:28 Major (1.0.0 > 2.0.0) |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change | 2022-10-05 16:36:28 Major (1.1.0 > 2.0.0) |
|
| Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-30 16:34:23 3dc5edcd-002d-444c-b216-e123bbfa37c0 |
|
| Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-30 16:34:23 ca88aadc-6e2b-416c-9de2-5a0f01d1693f |
|
| Security Center | 6654c8c4-e6f8-43f8-8869-54327af7ce32 | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent | Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-30 16:34:23 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
| Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-30 16:34:23 Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) |
| Security Center | 62b52eae-c795-44e3-94e8-1b3d264766fb | [Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets | Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Synapse | cfaf0007-99c7-4b01-b36b-4048872ac978 | Azure Synapse Analytics dedicated SQL pools should enable encryption | Enable transparent data encryption for Azure Synapse Analytics dedicated SQL pools to protect data-at-rest and meet compliance requirements. Please note that enabling transparent data encryption for the pool may impact query performance. More details can refer to https://go.microsoft.com/fwlink/?linkid=2147714 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-30 16:34:23 cfaf0007-99c7-4b01-b36b-4048872ac978 |
|
| Security Center | e8794316-d918-4565-b57d-6b38a06381a0 | [Preview]: Azure Security agent should be installed on your Linux virtual machines | Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-30 16:34:23 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
|
| Regulatory Compliance | 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 | Verify inaccurate or outdated PII | CMA_C1823 - Verify inaccurate or outdated PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 69d90ee6-9f9f-262a-2038-d909fb4e5723 | Identify spilled information | CMA_0303 - Identify spilled information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 496b407d-9b9e-81e8-4ba4-44bc686b016a | Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7d10debd-4775-85a7-1a41-7e128e0e8c50 | Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e336d5f4-4d8f-0059-759c-ae10f63d1747 | Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d25cbded-121e-0ed6-1857-dc698c9095b1 | Take action in response to customer information | CMA_C1554 - Take action in response to customer information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2b2f3a72-9e68-3993-2b69-13dcdecf8958 | Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | db580551-0b3c-4ea1-8a4c-4cdb5feb340f | Provide the logout capability | CMA_C1055 - Provide the logout capability | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | af227964-5b8b-22a2-9364-06d2cb9d6d7c | Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6b957f60-54cd-5752-44d5-ff5a64366c93 | Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 86ecd378-a3a0-5d5b-207c-05e6aaca43fc | Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cbfa1bd0-714d-8d6f-0480-2ad6a53972df | Define and document government oversight | CMA_C1587 - Define and document government oversight | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 92ede480-154e-0e22-4dca-8b46a74a3a51 | Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 59f7feff-02aa-6539-2cf7-bea75b762140 | Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f27a298f-9443-014a-0d40-fef12adf0259 | Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | be1c34ab-295a-07a6-785c-36f63c1d223e | Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 676c3c35-3c36-612c-9523-36d266a65000 | Require developers to provide training | CMA_C1611 - Require developers to provide training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 | Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 | Monitor account activity | CMA_0377 - Monitor account activity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 | Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d041726f-00e0-41ca-368c-b1a122066482 | Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 29363ae1-68cd-01ca-799d-92c9197c8404 | Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 10c4210b-3ec9-9603-050d-77e4d26c7ebb | Enforce logical access | CMA_0245 - Enforce logical access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 62fa14f0-4cbe-762d-5469-0899a99b98aa | Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 043c1e56-5a16-52f8-6af8-583098ff3e60 | Create a data inventory | CMA_0096 - Create a data inventory | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | db28735f-518f-870e-15b4-49623cbe3aa0 | Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8dad106-6444-5f55-307e-1e1cc9723e39 | Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 | Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 56fb5173-3865-5a5d-5fad-ae33e53e1577 | Address information security issues | CMA_C1742 - Address information security issues | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c6fe3856-4635-36b6-983c-070da12a953b | Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e | Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 203101f5-99a3-1491-1b56-acccd9b66a9e | Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3eecf628-a1c8-1b48-1b5c-7ca781e97970 | Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4b8fd5da-609b-33bf-9724-1c946285a14c | Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | de251b09-4a5e-1204-4bef-62ac58d47999 | Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ae5345d5-8dab-086a-7290-db43a3272198 | Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e0c480bf-0d68-a42d-4cbb-b60f851f8716 | Implement personnel screening | CMA_0322 - Implement personnel screening | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3881168c-5d38-6f04-61cc-b5d87b2c4c58 | Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7ad83b58-2042-085d-08f0-13e946f26f89 | Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bf883b14-9c19-0f37-8825-5e39a8b66d5b | Perform threat modeling | CMA_0392 - Perform threat modeling | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4a6f5cbd-6c6b-006f-2bb1-091af1441bce | Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 32f22cfa-770b-057c-965b-450898425519 | Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 | Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 | Define a physical key management process | CMA_0115 - Define a physical key management process | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8e920169-739d-40b5-3f99-c4d855327bb2 | Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d7c1ecc3-2980-a079-1569-91aec8ac4a77 | Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 | Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-27 16:35:32 Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) |
| Regulatory Compliance | ba78efc6-795c-64f4-7a02-91effbd34af9 | Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1bc7fd64-291f-028e-4ed6-6e07886e163f | Employ least privilege access | CMA_0212 - Employ least privilege access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 518eafdd-08e5-37a9-795b-15a8d798056d | Provide privacy training | CMA_0415 - Provide privacy training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b470a37a-7a47-3792-34dd-7a793140702e | Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 95eb7d09-9937-5df9-11d9-20317e3f60df | Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 245fe58b-96f8-9f1e-48c5-7f49903f66fd | Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3ad7f0bc-3d03-0585-4d24-529779bb02c2 | Maintain availability of information | CMA_C1644 - Maintain availability of information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 | Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5023a9e7-8e64-2db6-31dc-7bce27f796af | Provide privacy notice to the public and to individuals | CMA_C1861 - Provide privacy notice to the public and to individuals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2d2ca910-7957-23ee-2945-33f401606efc | Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 | Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7a489c62-242c-5db9-74df-c073056d6fa3 | Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 35de8462-03ff-45b3-5746-9d4603c74c56 | Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6a379d74-903b-244a-4c44-838728bea6b0 | Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5c33538e-02f8-0a7f-998b-a4c1e22076d3 | Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 72889284-15d2-90b2-4b39-a1e9541e1152 | Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | af38215f-70c4-0cd6-40c2-c52d86690a45 | Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 575ed5e8-4c29-99d0-0e4d-689fb1d29827 | Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6625638f-3ba1-7404-5983-0ea33d719d34 | Review audit data | CMA_0466 - Review audit data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ed87d27a-9abf-7c71-714c-61d881889da4 | Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default Audit Allowed Audit, Disabled |
change | 2022-09-27 16:35:32 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
|
| Regulatory Compliance | 41172402-8d73-64c7-0921-909083c086b0 | Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 63f63e71-6c3f-9add-4c43-64de23e554a7 | Manage gateways | CMA_0363 - Manage gateways | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 | Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 834b7a4a-83ab-2188-1a26-9c5033d8173b | Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | df2e9507-169b-4114-3a52-877561ee3198 | Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3d399cf3-8fc6-0efc-6ab0-1412f1198517 | Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ff1efad2-6b09-54cc-01bf-d386c4d558a8 | Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eb598832-4bcc-658d-4381-3ecbe17b9866 | Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3545c827-26ee-282d-4629-23952a12008b | Conduct incident response testing | CMA_0060 - Conduct incident response testing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3a868d0c-538f-968b-0191-bddb44da5b75 | Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eaaae23f-92c9-4460-51cf-913feaea4d52 | Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6f1de470-79f3-1572-866e-db0771352fc8 | Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7d70383a-32f4-a0c2-61cf-a134851968c2 | Determine legal authority to collect PII | CMA_C1800 - Determine legal authority to collect PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 | Notify when account is not needed | CMA_0383 - Notify when account is not needed | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0471c6b7-1588-701c-2713-1fade73b75f6 | Display an explicit logout message | CMA_C1056 - Display an explicit logout message | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 13ef3484-3a51-785a-9c96-500f21f84edd | Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f | Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 037c0089-6606-2dab-49ad-437005b5035f | Identify incident response personnel | CMA_0301 - Identify incident response personnel | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 04837a26-2601-1982-3da7-bf463e6408f4 | Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cf79f602-1e60-5423-6c0c-e632c2ea1fc0 | Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 | Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1ff03f2a-974b-3272-34f2-f6cd51420b30 | Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 46ab2c5e-6654-1f58-8c83-e97a44f39308 | Identify external service providers | CMA_C1591 - Identify external service providers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cdcb825f-a0fb-31f9-29c1-ab566718499a | Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | fe2dff43-0a8c-95df-0432-cb1c794b17d0 | Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 611ebc63-8600-50b6-a0e3-fef272457132 | Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 677e1da4-00c3-287a-563d-f4a1cf9b99a0 | Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 | Update antivirus definitions | CMA_0517 - Update antivirus definitions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b544f797-a73b-1be3-6d01-6b1a085376bc | Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7c7032fe-9ce6-9092-5890-87a1a3755db1 | Retain terminated user data | CMA_0455 - Retain terminated user data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ad1d562b-a04b-15d3-6770-ed310b601cb5 | Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c981fa70-2e58-8141-1457-e7f62ebc2ade | Document organizational access agreements | CMA_0192 - Document organizational access agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 015b4935-448a-8684-27c0-d13086356c33 | Implement a threat awareness program | CMA_C1758 - Implement a threat awareness program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9b8b05ec-3d21-215e-5d98-0f7cf0998202 | Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e4b00788-7e1c-33ec-0418-d048508e095b | Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8019d788-713d-90a1-5570-dac5052f517d | Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bd6cbcba-4a2d-507c-53e3-296b5c238a8e | Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 | Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e | Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bbb2e6d6-085f-5a35-a55d-e45daad38933 | Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1e0d5ba8-a433-01aa-829c-86b06c9631ec | Include dynamic reconfig of customer deployed resources | CMA_C1364 - Include dynamic reconfig of customer deployed resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-27 16:35:32 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
|
| Regulatory Compliance | f7eb1d0b-6d4f-2d59-1591-7563e11a9313 | Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | fad161f5-5261-401a-22dd-e037bae011bd | Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0a412110-3874-9f22-187a-c7a81c8a6704 | Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ca748dfe-3e28-1d18-4221-89aea30aa0a5 | Identify status of individual users | CMA_C1316 - Identify status of individual users | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 34d38ea7-6754-1838-7031-d7fd07099821 | Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8e49107c-3338-40d1-02aa-d524178a2afe | Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 | Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 28aa060e-25c7-6121-05d8-a846f11433df | Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 13939f8c-4cd5-a6db-9af4-9dfec35e3722 | Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 33d34fac-56a8-1c0f-0636-3ed94892a709 | Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 171e377b-5224-4a97-1eaa-62a3b5231dac | Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 68a39c2b-0f17-69ee-37a3-aa10f9853a08 | Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 | Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 14a4fd0a-9100-1e12-1362-792014a28155 | Update contingency plan | CMA_C1248 - Update contingency plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 39999038-9ef1-602a-158c-ce2367185230 | Define performance metrics | CMA_0124 - Define performance metrics | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6228396e-2ace-7ca5-3247-45767dbf52f4 | Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 | Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3c93dba1-84fd-57de-33c7-ef0400a08134 | Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 37546841-8ea1-5be0-214d-8ac599588332 | Maintain incident response plan | CMA_0352 - Maintain incident response plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 08c11b48-8745-034d-1c1b-a144feec73b9 | Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bd4dc286-2f30-5b95-777c-681f3a7913d3 | Establish and document change control processes | CMA_0265 - Establish and document change control processes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dbcef108-7a04-38f5-8609-99da110a2a57 | Determine information protection needs | CMA_C1750 - Determine information protection needs | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 311802f9-098d-0659-245a-94c5d47c0182 | Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dad8a2e9-6f27-4fc2-8933-7e99fe700c9c | Authorize remote access | CMA_0024 - Authorize remote access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 | Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-27 16:35:32 Major (1.1.0 > 2.0.0) |
| Regulatory Compliance | 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 | Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 291f20d4-8d93-1d73-89f3-6ce28b825563 | Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7a114735-a420-057d-a651-9a73cd0416ef | Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d8bbd80e-3bb1-5983-06c2-428526ec6a63 | Establish a password policy | CMA_0256 - Establish a password policy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4c385143-09fd-3a34-790c-a5fd9ec77ddc | Provide role-based security training | CMA_C1094 - Provide role-based security training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7d7a8356-5c34-9a95-3118-1424cfaf192a | Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4edaca8c-0912-1ac5-9eaa-6a1057740fae | Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 34aac8b2-488a-2b96-7280-5b9b481a317a | Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0065241c-72e9-3b2c-556f-75de66332a94 | Establish parameters for searching secret authenticators and verifiers | CMA_0274 - Establish parameters for searching secret authenticators and verifiers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 509552f5-6528-3540-7959-fbeae4832533 | Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8b333332-6efd-7c0d-5a9f-d1eb95105214 | Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8587fce-138f-86e8-33a3-c60768bf1da6 | Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 77cc89bb-774f-48d7-8a84-fb8c322c3000 | Track software license usage | CMA_C1235 - Track software license usage | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba | Review file and folder activity | CMA_0473 - Review file and folder activity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 13efd2d7-3980-a2a4-39d0-527180c009e8 | Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 | Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e714b481-8fac-64a2-14a9-6f079b2501a4 | Use privileged identity management | CMA_0533 - Use privileged identity management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 03b6427e-6072-4226-4bd9-a410ab65317e | Design an access control model | CMA_0129 - Design an access control model | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2e7a98c9-219f-0d58-38dc-d69038224442 | Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 57927290-8000-59bf-3776-90c468ac5b4b | Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | fc26e2fd-3149-74b4-5988-d64bb90f8ef7 | Separately store backup information | CMA_C1293 - Separately store backup information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 | Control information flow | CMA_0079 - Control information flow | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 056a723b-4946-9d2a-5243-3aa27c4d31a1 | Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 085467a6-9679-5c65-584a-f55acefd0d43 | Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 68d2e478-3b19-23eb-1357-31b296547457 | Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eb1c944e-0e94-647b-9b7e-fdb8d2af0838 | Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ef5a7059-6651-73b1-18b3-75b1b79c1565 | Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4502e506-5f35-0df4-684f-b326e3cc7093 | Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ff136354-1c92-76dc-2dab-80fb7c6a9f1a | Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 84245967-7882-54f6-2d34-85059f725b47 | Establish an information security program | CMA_0263 - Establish an information security program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 26daf649-22d1-97e9-2a8a-01b182194d59 | Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e7422f08-65b4-50e4-3779-d793156e0079 | Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d78f95ba-870a-a500-6104-8a5ce2534f19 | Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 50e81644-923d-33fc-6ebb-9733bc8d1a06 | Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 22457e81-3ec6-5271-a786-c3ca284601dd | Isolate information spills | CMA_0346 - Isolate information spills | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | fd81a1b3-2d7a-107c-507e-29b87d040c19 | Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ffdaa742-0d6f-726f-3eac-6e6c34e36c93 | Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0040d2e5-2779-170d-6a2c-1f5fca353335 | Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Monitoring | d4b065e2-fbda-4461-a42c-b0346aeb12a0 | The legacy Log Analytics extension should not be installed on Linux virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-27 16:35:32 d4b065e2-fbda-4461-a42c-b0346aeb12a0 |
|
| Regulatory Compliance | 318b2bd9-9c39-9f8b-46a7-048401f33476 | Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 | Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5269d7e4-3768-501d-7e46-66c56c15622c | Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 10874318-0bf7-a41f-8463-03e395482080 | Correlate audit records | CMA_0087 - Correlate audit records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 477bd136-7dd9-55f8-48ac-bae096b86a07 | Develop POA&M | CMA_C1156 - Develop POA&M | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8b077bff-516f-3983-6c42-c86e9a11868b | Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f3c17714-8ce7-357f-4af2-a0baa63a063f | Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 464a7d7a-2358-4869-0b49-6d582ca21292 | Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1afada58-8b34-7ac2-a38a-983218635201 | Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3b30aa25-0f19-6c04-5ca4-bd3f880a763d | Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 | Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 27ab3ac0-910d-724d-0afa-1a2a01e996c0 | Respond to rectification requests | CMA_0442 - Respond to rectification requests | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c6aeb800-0b19-944d-92dc-59b893722329 | Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ab02bb73-4ce1-89dd-3905-d93042809ba0 | Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 48c816c5-2190-61fc-8806-25d6f3df162f | Monitor access across the organization | CMA_0376 - Monitor access across the organization | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3153d9c0-2584-14d3-362d-578b01358aeb | Retain training records | CMA_0456 - Retain training records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | adf517f3-6dcd-3546-9928-34777d0c277e | Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a930f477-9dcb-2113-8aa7-45bb6fc90861 | Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0803eaa7-671c-08a7-52fd-ac419f775e75 | Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 34738025-5925-51f9-1081-f2d0060133ed | Information security and personal data protection | CMA_0332 - Information security and personal data protection | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 | Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 42116f15-5665-a52a-87bb-b40e64c74b6c | Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eff6e4a5-3efe-94dd-2ed1-25d56a019a82 | Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 516be556-1353-080d-2c2f-f46f000d5785 | Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | af5ff768-a34b-720e-1224-e6b3214f3ba6 | Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b6b32f80-a133-7600-301e-398d688e7e0c | Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Monitoring | bd58d393-162c-4134-bcd6-a6a5484a37a1 | The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-27 16:35:32 bd58d393-162c-4134-bcd6-a6a5484a37a1 |
|
| Regulatory Compliance | 874a6f2e-2098-53bc-3a16-20dcdc425a7e | Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5b802722-71dd-a13d-2e7e-231e09589efb | Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 | Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 585af6e9-90c0-4575-67a7-2f9548972e32 | Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 | Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 57adc919-9dca-817c-8197-64d812070316 | Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 97d91b33-7050-237b-3e23-a77d57d84e13 | Issue public key certificates | CMA_0347 - Issue public key certificates | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d661e9eb-4e15-5ba1-6f02-cdc467db0d6c | Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 25a1f840-65d0-900a-43e4-bee253de04de | Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 55be3260-a7a2-3c06-7fe6-072d07525ab7 | Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4012c2b7-4e0e-a7ab-1688-4aab43f14420 | Map authenticated identities to individuals | CMA_0372 - Map authenticated identities to individuals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f78fc35e-1268-0bca-a798-afcba9d2330a | Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | df54d34f-65f3-39f1-103c-a0464b8615df | Manage transfers between standby and active system components | CMA_0371 - Manage transfers between standby and active system components | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 70057208-70cc-7b31-3c3a-121af6bc1966 | Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4c6df5ff-4ef2-4f17-a516-0da9189c603b | Assign account managers | CMA_0015 - Assign account managers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8eea8c14-4d93-63a3-0c82-000343ee5204 | Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 81b6267b-97a7-9aa5-51ee-d2584a160424 | Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ba02d0a0-566a-25dc-73f1-101c726a19c5 | Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e89436d8-6a93-3b62-4444-1d2a42ad56b2 | Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 01ae60e2-38bb-0a32-7b20-d3a091423409 | Implement system boundary protection | CMA_0328 - Implement system boundary protection | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc | Perform a risk assessment | CMA_0388 - Perform a risk assessment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b9d45adb-471b-56a5-64d2-5b241f126174 | Automate privacy controls | CMA_C1817 - Automate privacy controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d02498e0-8a6f-6b02-8332-19adf6711d1e | Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 271a3e58-1b38-933d-74c9-a580006b80aa | Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f8a63511-66f1-503f-196d-d6217ee0823a | Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5226dee6-3420-711b-4709-8e675ebd828f | Update information security policies | CMA_0518 - Update information security policies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 | Generate error messages | CMA_C1724 - Generate error messages | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a4493012-908c-5f48-a468-1e243be884ce | Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2af4640d-11a6-a64b-5ceb-a468f4341c0c | Define and enforce inactivity log policy | CMA_C1017 - Define and enforce inactivity log policy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2b4e134f-1e4c-2bff-573e-082d85479b6e | Develop an incident response plan | CMA_0145 - Develop an incident response plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 | Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eab4450d-9e5c-4f38-0656-2ff8c78c83f3 | Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 33602e78-35e3-4f06-17fb-13dd887448e4 | Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 524e7136-9f6a-75ba-9089-501018151346 | Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 97f0d974-1486-01e2-2088-b888f46c0589 | Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 01c387ea-383d-4ca9-295a-977fab516b03 | Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6ab47bbf-867e-9113-7998-89b58f77326a | Respond to complaints, concerns, or questions timely | CMA_C1853 - Respond to complaints, concerns, or questions timely | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a1334a65-2622-28ee-5067-9d7f5b915cc5 | Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f | Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ffea18d9-13de-6505-37f3-4c1f88070ad7 | Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9c954fcf-6dd8-81f1-41b5-832ae5c62caf | Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ced727b3-005e-3c5b-5cd5-230b79d56ee8 | Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 06af77de-02ca-0f3e-838a-a9420fe466f5 | Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8d140e8b-76c7-77de-1d46-ed1b2e112444 | Restrict access to private keys | CMA_0445 - Restrict access to private keys | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 836f8406-3b8a-11bb-12cb-6c7fa0765668 | Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 33832848-42ab-63f3-1a55-c0ad309d44cd | Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f49925aa-9b11-76ae-10e2-6e973cc60f37 | Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8a703eb5-4e53-701b-67e4-05ba2f7930c8 | Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1a2a03a4-9992-5788-5953-d8f6615306de | Govern policies and procedures | CMA_0292 - Govern policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 | Provide information spillage training | CMA_0413 - Provide information spillage training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5f2e834d-7e40-a4d5-a216-e49b16955ccf | Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 423f6d9c-0c73-9cc6-64f4-b52242490368 | Develop security safeguards | CMA_0161 - Develop security safeguards | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 729c8708-2bec-093c-8427-2e87d2cd426d | Automate notification of employee termination | CMA_C1521 - Automate notification of employee termination | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6de65dc4-8b4f-34b7-9290-eb137a2e2929 | Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e1379836-3492-6395-451d-2f5062e14136 | Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0e696f5a-451f-5c15-5532-044136538491 | Protect audit information | CMA_0401 - Protect audit information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b6ad009f-5c24-1dc0-a25e-74b60e4da45f | Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e23444b9-9662-40f3-289e-6d25c02b48fa | Review label activity and analytics | CMA_0474 - Review label activity and analytics | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 1cb4d9c2-f88f-4069-bee0-dba239a57b09 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-27 16:35:32 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
|
| Regulatory Compliance | eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 | Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | be38a620-000b-21cf-3cb3-ea151b704c3b | Remediate information system flaws | CMA_0427 - Remediate information system flaws | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3f1216b0-30ee-1ac9-3899-63eb744e85f5 | Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f6da5cca-5795-60ff-49e1-4972567815fe | Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d48a6f19-a284-6fc6-0623-3367a74d3f50 | Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 98e33927-8d7f-6d5f-44f5-2469b40b7215 | Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 82bd024a-5c99-05d6-96ff-01f539676a1a | Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-27 16:35:32 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-27 16:35:32 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
| Regulatory Compliance | 00f12b6f-10d7-8117-9577-0f2b76488385 | Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b53aa659-513e-032c-52e6-1ce0ba46582f | Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 396f465d-375e-57de-58ba-021adb008191 | Invalidate session identifiers at logout | CMA_C1661 - Invalidate session identifiers at logout | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b7306e73-0494-83a2-31f5-280e934a8f70 | Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b | Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2cc9c165-46bd-9762-5739-d2aae5ba90a1 | Automate account management | CMA_0026 - Automate account management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0f31d98d-5ce2-705b-4aa5-b4f6705110dd | Prepare alternate processing site for use as operational site | CMA_C1278 - Prepare alternate processing site for use as operational site | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 94c842e3-8098-38f9-6d3f-8872b790527d | Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0123edae-3567-a05a-9b05-b53ebe9d3e7e | View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 979ed3b6-83f9-26bc-4b86-5b05464700bf | Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 | Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b28c8687-4bbd-8614-0b96-cdffa1ac6d9c | Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 79f081c7-1634-01a1-708e-376197999289 | Review user accounts | CMA_0480 - Review user accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 74041cfe-3f87-1d17-79ec-34ca5f895542 | Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 44b71aa8-099d-8b97-1557-0e853ec38e0d | Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 058e9719-1ff9-3653-4230-23f76b6492e0 | Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 21633c09-804e-7fcd-78e3-635c6bfe2be7 | Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f741c4e6-41eb-15a4-25a2-61ac7ca232f0 | Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 449ebb52-945b-36e5-3446-af6f33770f8f | Update the security authorization | CMA_C1160 - Update the security authorization | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e7589f4e-1e8b-72c2-3692-1e14d7f3699f | Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 91a54089-2d69-0f56-62dc-b6371a1671c0 | Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 85335602-93f5-7730-830b-d43426fd51fa | Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d9edcea6-6cb8-0266-a48c-2061fbac4310 | Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1ee4c7eb-480a-0007-77ff-4ba370776266 | Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6baae474-434f-2e91-7163-a72df30c4847 | Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab | Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 84a01872-5318-049e-061e-d56734183e84 | Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 | Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 70fe686f-1f91-7dab-11bf-bca4201e183b | Review role group changes weekly | CMA_0476 - Review role group changes weekly | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f476f3b0-4152-526e-a209-44e5f8c968d7 | Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c79d378a-2521-822a-0407-57454f8d2c74 | Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ee67c031-57fc-53d0-0cca-96c4c04345e8 | Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ba99d512-3baa-1c38-8b0b-ae16bbd34274 | Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f26af0b1-65b6-689a-a03f-352ad2d00f98 | Audit privileged functions | CMA_0019 - Audit privileged functions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-27 16:35:32 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) |
|
| Regulatory Compliance | 2927e340-60e4-43ad-6b5f-7a1468232cc2 | Configure detection whitelist | CMA_0068 - Configure detection whitelist | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0fd1ca29-677b-2f12-1879-639716459160 | Maintain data breach records | CMA_0351 - Maintain data breach records | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 97cfd944-6f0c-7db2-3796-8e890ef70819 | Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c42f19c9-5d88-92da-0742-371a0ea03126 | Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d42a8f69-a193-6cbc-48b9-04a9e29961f1 | Protect wireless access | CMA_0411 - Protect wireless access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-27 16:35:32 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) |
| Regulatory Compliance | e21f91d1-2803-0282-5f2d-26ebc4b170ef | Update organizational access agreements | CMA_0520 - Update organizational access agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 98145a9b-428a-7e81-9d14-ebb154a24f93 | View and investigate restricted users | CMA_0545 - View and investigate restricted users | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a44c9fba-43f8-4b7b-7ee6-db52c96b4366 | Facilitate information sharing | CMA_0284 - Facilitate information sharing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bab9ef1d-a16d-421a-822d-3fa94e808156 | Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | de770ba6-50dd-a316-2932-e0d972eaa734 | Require approval for account creation | CMA_0431 - Require approval for account creation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | aeed863a-0f56-429f-945d-8bb66bd06841 | Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2af551d5-1775-326a-0589-590bfb7e9eb2 | Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f | Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a315c657-4a00-8eba-15ac-44692ad24423 | Protect special information | CMA_0409 - Protect special information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4e400494-53a5-5147-6f4d-718b539c7394 | Manage compliance activities | CMA_0358 - Manage compliance activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 | Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b4512986-80f5-1656-0c58-08866bd2673a | Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5decc032-95bd-2163-9549-a41aba83228e | Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | efef28d0-3226-966a-a1e8-70e89c1b30bc | Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c7e8ddc1-14aa-1814-7fe1-aad1742b27da | Enforce expiration of cached authenticators | CMA_C1343 - Enforce expiration of cached authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6c0a312f-04c5-5c97-36a5-e56763a02b6b | Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5020f3f4-a579-2f28-72a8-283c5a0b15f9 | Restrict communications | CMA_0449 - Restrict communications | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ece8bb17-4080-5127-915f-dc7267ee8549 | Verify security functions | CMA_C1708 - Verify security functions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4781e5fd-76b8-7d34-6df3-a0a7fca47665 | Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | de936662-13dc-204c-75ec-1af80f994088 | Provide contingency training | CMA_0412 - Provide contingency training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 | Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 18e7906d-4197-20fa-2f14-aaac21864e71 | Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9622aaa9-5c49-40e2-5bf8-660b7cd23deb | Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 898a5781-2254-5a37-34c7-d78ea7c20d55 | Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bb048641-6017-7272-7772-a008f285a520 | Develop spillage response procedures | CMA_0162 - Develop spillage response procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5bac5fb7-7735-357b-767d-02264bfe5c3b | Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 39eb03c1-97cc-11ab-0960-6209ed2869f7 | Establish a privacy program | CMA_0257 - Establish a privacy program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d9af7f88-686a-5a8b-704b-eafdab278977 | Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ced291b8-1d3d-7e27-40cf-829e9dd523c8 | Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f29b17a4-0df2-8a50-058a-8570f9979d28 | Assign system identifiers | CMA_0018 - Assign system identifiers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b4e19d22-8c0e-7cad-3219-c84c62dc250f | Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a08b18c7-9e0a-89f1-3696-d80902196719 | Document access privileges | CMA_0186 - Document access privileges | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 50e9324a-7410-0539-0662-2c1e775538b7 | Authorize and manage access | CMA_0023 - Authorize and manage access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8bb40df9-23e4-4175-5db3-8dba86349b73 | Confirm quality and integrity of PII | CMA_C1821 - Confirm quality and integrity of PII | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 92b49e92-570f-1765-804a-378e6c592e28 | Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a830fe9e-08c9-a4fb-420c-6f6bf1702395 | Review account provisioning logs | CMA_0460 - Review account provisioning logs | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 90a156a6-49ed-18d1-1052-69aac27c05cd | Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b0e3035d-6366-2e37-796e-8bcab9c649e6 | Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c8aa992d-76b7-7ca0-07b3-31a58d773fa9 | Employ automated training environment | CMA_C1357 - Employ automated training environment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b320aa42-33b4-53af-87ce-100091d48918 | Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e4054c0e-1184-09e6-4c5e-701e0bc90f81 | Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 75b9db50-7906-2351-98ae-0458218609e5 | Retain accounting of disclosures of information | CMA_C1819 - Retain accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6610f662-37e9-2f71-65be-502bdc2f554d | Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 12af7c7a-92af-9e96-0d0c-5e732d1a3751 | Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7fc1f0da-0050-19bb-3d75-81ae15940df6 | Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2b05dca2-25ec-9335-495c-29155f785082 | Provide security training before providing access | CMA_0418 - Provide security training before providing access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-27 16:35:32 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
|
| Regulatory Compliance | 6f311b49-9b0d-8c67-3d6e-db80ae528173 | Bind authenticators and identities dynamically | CMA_0035 - Bind authenticators and identities dynamically | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e54901fe-42c2-7f3b-3c5f-327aa5320a69 | Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 21832235-7a07-61f4-530d-d596f76e5b95 | Implement security testing, training, and monitoring plans | CMA_C1753 - Implement security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2067b904-9552-3259-0cdd-84468e284b7c | Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cc057769-01d9-95ad-a36f-1e62a7f9540b | Update POA&M items | CMA_C1157 - Update POA&M items | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | bfc540fe-376c-2eef-4355-121312fa4437 | Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4ce91e4e-6dab-3c46-011a-aa14ae1561bf | Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8aec4343-9153-9641-172c-defb201f56b3 | Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6f3866e8-6e12-69cf-788c-809d426094a1 | Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3d492600-27ba-62cc-a1c3-66eb919f6a0d | Document remote access guidelines | CMA_0196 - Document remote access guidelines | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 08ad71d0-52be-6503-4908-e015460a16ae | Require use of individual authenticators | CMA_C1305 - Require use of individual authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 29acfac0-4bb4-121b-8283-8943198b1549 | Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 54a9c072-4a93-2a03-6a43-a060d30383d7 | Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8b1f29eb-1b22-4217-5337-9207cb55231e | Perform information input validation | CMA_C1723 - Perform information input validation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1fdf0b24-4043-3c55-357e-036985d50b52 | Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6bededc0-2985-54d5-4158-eb8bad8070a0 | Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e6f7b584-877a-0d69-77d4-ab8b923a9650 | Document separation of duties | CMA_0204 - Document separation of duties | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 92b94485-1c49-3350-9ada-dffe94f08e87 | Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 178c8b7e-1b6e-4289-44dd-2f1526b678a1 | Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Monitoring | 383c45fa-8b64-4d1c-aa9f-e69d2d879aa4 | The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-27 16:35:32 383c45fa-8b64-4d1c-aa9f-e69d2d879aa4 |
|
| Regulatory Compliance | 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 | Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 333b4ada-4a02-0648-3d4d-d812974f1bb2 | Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 80a97208-264e-79da-0cc7-4fca179a0c9c | Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 77acc53d-0f67-6e06-7d04-5750653d4629 | Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 214ea241-010d-8926-44cc-b90a96d52adc | Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d200f199-69f4-95a6-90b0-37ff0cf1040c | Provide the capability to extend or limit auditing on customer-deployed resources | CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4ac81669-00e2-9790-8648-71bc11bc91eb | Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b262e1dd-08e9-41d4-963a-258909ad794b | Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 | Keep SORNs updated | CMA_C1863 - Keep SORNs updated | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb | Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d18af1ac-0086-4762-6dc8-87cdded90e39 | Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dd2523d5-2db3-642b-a1cf-83ac973b32c2 | Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 16c54e01-9e65-7524-7c33-beda48a75779 | Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c246d146-82b0-301f-32e7-1065dcd248b7 | Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | aa892c0d-2c40-200c-0dd8-eac8c4748ede | Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 055da733-55c6-9e10-8194-c40731057ec4 | Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5fc24b95-53f7-0ed1-2330-701b539b97fe | Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 | Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b5244f81-6cab-3188-2412-179162294996 | Review publicly accessible content for nonpublic information | CMA_C1086 - Review publicly accessible content for nonpublic information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 67ada943-8539-083d-35d0-7af648974125 | Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 52375c01-4d4c-7acc-3aa4-5b3d53a047ec | Define the duties of processors | CMA_0127 - Define the duties of processors | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 | Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7805a343-275c-41be-9d62-7215b96212d8 | Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c5784049-959f-6067-420c-f4cefae93076 | Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1282809c-9001-176b-4a81-260a085f4872 | Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d93fe1be-13e4-421d-9c21-3158e2fa2667 | Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2401b496-7f23-79b2-9f80-89bb5abf3d4a | Protect incident response plan | CMA_0405 - Protect incident response plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2f20840e-7925-221c-725d-757442753e7c | Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5d3abfea-a130-1208-29c0-e57de80aa6b0 | Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b65c5d8e-9043-9612-2c17-65f231d763bb | Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d36700f2-2f0d-7c2a-059c-bdadd1d79f70 | Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 | Define cryptographic use | CMA_0120 - Define cryptographic use | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 60442979-6333-85f0-84c5-b887bac67448 | Evaluate alternate processing site capabilities | CMA_C1266 - Evaluate alternate processing site capabilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2f204e72-1896-3bf8-75c9-9128b8683a36 | Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 26d178a4-9261-6f04-a100-47ed85314c6e | Implement security directives | CMA_C1706 - Implement security directives | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a90c4d44-7fac-8e02-6d5b-0d92046b20e6 | Automate flaw remediation | CMA_0027 - Automate flaw remediation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c423e64d-995c-9f67-0403-b540f65ba42a | Assess Security Controls | CMA_C1145 - Assess Security Controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a8df9c78-4044-98be-2c05-31a315ac8957 | Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 873895e8-0e3a-6492-42e9-22cd030e9fcd | Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2c6bee3a-2180-2430-440d-db3c7a849870 | Document security operations | CMA_0202 - Document security operations | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f6794ab8-9a7d-3b24-76ab-265d3646232b | Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 | Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 75b42dcf-7840-1271-260b-852273d7906e | Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8747b573-8294-86a0-8914-49e9b06a5ace | Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4ee5975d-2507-5530-a20a-83a725889c6f | Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8cd815bf-97e1-5144-0735-11f6ddb50a59 | Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dc7ec756-221c-33c8-0afe-c48e10e42321 | Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c3b3cc61-9c70-5d78-7f12-1aefcc477db7 | Review security testing, training, and monitoring plans | CMA_C1754 - Review security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 70a7a065-a060-85f8-7863-eb7850ed2af9 | Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3baee3fd-30f5-882c-018c-cc78703a0106 | Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3c9aa856-6b86-35dc-83f4-bc72cec74dea | Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 426c172c-9914-10d1-25dd-669641fc1af4 | Enable detection of network devices | CMA_0220 - Enable detection of network devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c72fc0c8-2df8-7506-30be-6ba1971747e1 | Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e750ca06-1824-464a-2cf3-d0fa754d1cb4 | Establish a secure software development program | CMA_0259 - Establish a secure software development program | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 04b3e7f6-4841-888d-4799-cda19a0084f6 | Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 35963d41-4263-0ef9-98d5-70eb058f9e3c | Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 341bc9f1-7489-07d9-4ec6-971573e1546a | Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3054c74b-9b45-2581-56cf-053a1a716c39 | Accept assessment results | CMA_C1150 - Accept assessment results | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 | Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8a9bb2f-7290-3259-85ce-dca7d521302d | Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 | Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 725164e5-3b21-1ec2-7e42-14f077862841 | Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Cosmos DB | 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 | Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. | Regenerate your keys in the specified time to keep your data more protected. | Default Audit Allowed Audit, Disabled |
add | 2022-09-27 16:35:32 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 |
|
| Regulatory Compliance | c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 | Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | edcc36f1-511b-81e0-7125-abee29752fe7 | Manage availability and capacity | CMA_0356 - Manage availability and capacity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 678ca228-042d-6d8e-a598-c58d5670437d | Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 20012034-96f0-85c2-4a86-1ae1eb457802 | Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 27965e62-141f-8cca-426f-d09514ee5216 | Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 | Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b1666a13-8f67-9c47-155e-69e027ff6823 | Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8f835d6a-4d13-9a9c-37dc-176cebd37fda | Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5e4e9685-3818-5934-0071-2620c4fa2ca5 | Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7ded6497-815d-6506-242b-e043e0273928 | Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 93fa357f-2e38-22a9-5138-8cc5124e1923 | Categorize information | CMA_0052 - Categorize information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3af53f59-979f-24a8-540f-d7cdbc366607 | Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d4f70530-19a2-2a85-6e0c-0c3c465e3325 | Make accounting of disclosures available upon request | CMA_C1820 - Make accounting of disclosures available upon request | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8c255136-994b-9616-79f5-ae87810e0dcf | Enable network protection | CMA_0238 - Enable network protection | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f8ded0c6-a668-9371-6bb6-661d58787198 | Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dd6d00a8-701a-5935-a22b-c7b9c0c698b2 | Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2f67e567-03db-9d1f-67dc-b6ffb91312f4 | Determine auditable events | CMA_0137 - Determine auditable events | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d91558ce-5a5c-551b-8fbb-83f793255e09 | Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 09960521-759e-5d12-086f-4192a72a5e92 | Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f9ec3263-9562-1768-65a1-729793635a8d | Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a30bd8e9-7064-312a-0e1f-e1b485d59f6e | Review exploit protection events | CMA_0472 - Review exploit protection events | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 | Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 60ee1260-97f0-61bb-8155-5d8b75743655 | Separate duties of individuals | CMA_0492 - Separate duties of individuals | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 06f84330-4c27-21f7-72cd-7488afd50244 | Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d136ae80-54dd-321c-98b4-17acf4af2169 | Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 36b74844-4a99-4c80-1800-b18a516d1585 | Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | afbecd30-37ee-a27b-8e09-6ac49951a0ee | Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b33d61c1-7463-7025-0ec0-a47585b59147 | Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 22c16ae4-19d0-29cb-422f-cb44061180ee | Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c7d57a6a-7cc2-66c0-299f-83bf90558f5d | Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6122970b-8d4a-7811-0278-4c6c68f61e4f | Restrict media use | CMA_0450 - Restrict media use | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f48b60c6-4b37-332f-7288-b6ea50d300eb | Review controlled folder access events | CMA_0471 - Review controlled folder access events | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b5a4be05-3997-1731-3260-98be653610f6 | Perform disposition review | CMA_0391 - Perform disposition review | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e9c60c37-65b0-2d72-6c3c-af66036203ae | Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1cb7bf71-841c-4741-438a-67c65fdd7194 | Provide security training for new users | CMA_0419 - Provide security training for new users | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3ae68d9a-5696-8c32-62d3-c6f9c52e437c | Refresh authenticators | CMA_0425 - Refresh authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e435f7e3-0dd9-58c9-451f-9b44b96c0232 | Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d4e6a629-28eb-79a9-000b-88030e4823ca | Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 49c23d9b-02b0-0e42-4f94-e8cef1b8381b | Audit user account status | CMA_0020 - Audit user account status | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 5c40f27b-6791-18c5-3f85-7b863bd99c11 | Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 | Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a465e8e9-0095-85cb-a05f-1dd4960d02af | Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 433de59e-7a53-a766-02c2-f80f8421469a | Implement incident handling | CMA_0318 - Implement incident handling | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 6abdf7c7-362b-3f35-099e-533ed50988f9 | Assign information security representative to change control | CMA_C1198 - Assign information security representative to change control | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | dad1887d-161b-7b61-2e4d-5124a7b5724e | Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c148208b-1a6f-a4ac-7abc-23b1d41121b1 | Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 3eabed6d-1912-2d3c-858b-f438d08d0412 | Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 83dfb2b8-678b-20a0-4c44-5c75ada023e6 | Document mobility training | CMA_0191 - Document mobility training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f8d141b7-4e21-62a6-6608-c79336e36bc9 | Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b269a749-705e-8bff-055a-147744675cdf | Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9e3c505e-7aeb-2096-3417-b132242731fc | Review content prior to posting publicly accessible information | CMA_C1085 - Review content prior to posting publicly accessible information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | eda0cbb7-6043-05bf-645b-67411f1a59b3 | Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 069101ac-4578-31da-0cd4-ff083edd3eb4 | Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 20762f1e-85fb-31b0-a600-e833633f10fe | Reveal error messages | CMA_C1725 - Reveal error messages | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4f23967c-a74b-9a09-9dc2-f566f61a87b9 | Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | db8b35d6-8adb-3f51-44ff-c648ab5b1530 | Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a8f9c283-9a66-3eb3-9e10-bdba95b85884 | Run simulation attacks | CMA_0486 - Run simulation attacks | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c2eabc28-1e5c-78a2-a712-7cc176c44c07 | Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | cb8841d4-9d13-7292-1d06-ba4d68384681 | Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 92a7591f-73b3-1173-a09c-a08882d84c70 | Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b2d3e5a2-97ab-5497-565a-71172a729d93 | Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4aacaec9-0628-272c-3e83-0d68446694e0 | Manage Authenticators | CMA_C1321 - Manage Authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 | Undergo independent security review | CMA_0515 - Undergo independent security review | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 526ed90e-890f-69e7-0386-ba5c0f1f784f | Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 27ce30dd-3d56-8b54-6144-e26d9a37a541 | Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 8b1da407-5e60-5037-612e-2caa1b590719 | Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7bdb79ea-16b8-453e-4ca4-ad5b16012414 | Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1fb1cb0e-1936-6f32-42fd-89970b535855 | Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b11697e8-9515-16f1-7a35-477d5c8a1344 | Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f131c8c5-a54a-4888-1efc-158928924bc1 | Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | afd5d60a-48d2-8073-1ec2-6687e22f2ddd | Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f96d2186-79df-262d-3f76-f371e3b71798 | Review user privileges | CMA_C1039 - Review user privileges | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 0f4fa857-079d-9d3d-5c49-21f616189e03 | Provide real-time alerts for audit event failures | CMA_C1114 - Provide real-time alerts for audit event failures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e4e1f896-8a93-1151-43c7-0ad23b081ee2 | Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a28323fe-276d-3787-32d2-cef6395764c4 | Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c0559109-6a27-a217-6821-5a6d44f92897 | Maintain integrity of audit system | CMA_C1133 - Maintain integrity of audit system | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b7897ddc-9716-2460-96f7-7757ad038cc4 | Assign risk designations | CMA_0016 - Assign risk designations | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | c7fddb0e-3f44-8635-2b35-dc6b8e740b7c | Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 096a7055-30cb-2db4-3fda-41b20ac72667 | Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 4e45863d-9ea9-32b4-a204-2680bc6007a6 | Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d | Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 623b5f0a-8cbd-03a6-4892-201d27302f0c | Define information system account types | CMA_0121 - Define information system account types | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 279052a0-8238-694d-9661-bf649f951747 | Identify contaminated systems and components | CMA_0300 - Identify contaminated systems and components | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 | Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f33c3238-11d2-508c-877c-4262ec1132e1 | Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 | Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 37b0045b-3887-367b-8b4d-b9a6fa911bb9 | Assess information security events | CMA_0013 - Assess information security events | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 03d550b4-34ee-03f4-515f-f2e2faf7a413 | Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7a0ecd94-3699-5273-76a5-edb8499f655a | Determine assertion requirements | CMA_0136 - Determine assertion requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b8689b2e-4308-a58b-a0b4-6f3343a000df | Use automated mechanisms for security alerts | CMA_C1707 - Use automated mechanisms for security alerts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 79c75b38-334b-1a69-65e0-a9d929a42f75 | Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9150259b-617b-596d-3bf5-5ca3fce20335 | Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 | Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 | Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 | Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e29a8f1b-149b-2fa3-969d-ebee1baa9472 | Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | de077e7e-0cc8-65a6-6e08-9ab46c827b05 | Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 11ba0508-58a8-44de-5f3a-9e05d80571da | Develop business classification schemes | CMA_0155 - Develop business classification schemes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 | Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ca6d7878-3189-1833-4620-6c7254ed1607 | Obtain continuous monitoring plan for security controls | CMA_C1577 - Obtain continuous monitoring plan for security controls | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 55a7f9a0-6397-7589-05ef-5ed59a8149e7 | Control physical access | CMA_0081 - Control physical access | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 7380631c-5bf5-0e3a-4509-0873becd8a63 | Establish a configuration control board | CMA_0254 - Establish a configuration control board | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f2222056-062d-1060-6dc2-0107a68c34b2 | Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 96333008-988d-4add-549b-92b3a8c42063 | Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e8c31e15-642d-600f-78ab-bad47a5787e6 | Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | a3e98638-51d4-4e28-910a-60e98c1a756f | Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 | Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b4409bff-2287-8407-05fd-c73175a68302 | Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 58a51cde-008b-1a5d-61b5-d95849770677 | Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f30edfad-4e1d-1eef-27ee-9292d6d89842 | Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 964b340a-43a4-4798-2af5-7aedf6cb001b | Collect PII directly from the individual | CMA_C1822 - Collect PII directly from the individual | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 | Define mobile device requirements | CMA_0122 - Define mobile device requirements | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 098a7b84-1031-66d8-4e78-bd15b5fd2efb | Provide privacy notice | CMA_0414 - Provide privacy notice | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | aa305b4d-8c84-1754-0c74-dec004e66be0 | Develop contingency plan | CMA_C1244 - Develop contingency plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1d39b5d9-0392-8954-8359-575ce1957d1a | Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | ebb0ba89-6d8c-84a7-252b-7393881e43de | Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b2ea1058-8998-3dd1-84f1-82132ad482fd | Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d6653f89-7cb5-24a4-9d71-51581038231b | Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | d8350d4c-9314-400b-288f-20ddfce04fbd | Define and enforce the limit of concurrent sessions | CMA_C1050 - Define and enforce the limit of concurrent sessions | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | e3905a3c-97e7-0b4f-15fb-465c0927536f | Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 1beb1269-62ee-32cd-21ad-43d6c9750eb6 | Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | b3c8cc83-20d3-3890-8bc8-5568777670f4 | Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 53fc1282-0ee3-2764-1319-e20143bb0ea5 | Review contingency plan | CMA_C1247 - Review contingency plan | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | aa0ddd99-43eb-302d-3f8f-42b499182960 | Install an alarm system | CMA_0338 - Install an alarm system | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Regulatory Compliance | 098dcde7-016a-06c3-0985-0daaf3301d3a | Distribute authenticators | CMA_0184 - Distribute authenticators | Default Manual Allowed Manual, Disabled |
change | 2022-09-27 16:35:32 Minor (1.0.0 > 1.1.0) |
|
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | MFA should be enabled for accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change | 2022-09-23 16:35:49 Patch (3.0.0 > 3.0.1) |
|
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-23 16:35:49 Major (2.0.0 > 3.0.0) |
| Network | 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 | Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows | Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-09-23 16:35:49 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 |
|
| Network | 632d3993-e2c0-44ea-a7db-2eca131f356d | Web Application Firewall (WAF) should enable all firewall rules for Application Gateway | Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-23 16:35:49 Patch (1.0.0 > 1.0.1) |
|
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Storage | 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 | Storage accounts should prevent shared key access | Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-23 16:35:49 Major (1.0.0 > 2.0.0) |
|
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-23 16:35:49 Major (2.0.0 > 3.0.0) |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Monitoring | d2185817-5b7e-473c-aadd-9de6ac114280 | The legacy Log Analytics extension should not be installed on virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-23 16:35:49 d2185817-5b7e-473c-aadd-9de6ac114280 |
|
| Network | 6484db87-a62d-4327-9f07-80a2cbdf333a | Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) | Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-09-23 16:35:49 6484db87-a62d-4327-9f07-80a2cbdf333a |
|
| Monitoring | df441472-4dae-4e4e-87b9-9205ba46be16 | The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-23 16:35:49 df441472-4dae-4e4e-87b9-9205ba46be16 |
|
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-23 16:35:49 Major (2.0.0 > 3.0.0) |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-23 16:35:49 Major (2.0.0 > 3.0.0) |
| Network | f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf | Subscription should configure the Azure Firewall Premium to provide additional layer of protection | Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-23 16:35:49 f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf |
|
| Network | f516dc7a-4543-4d40-aad6-98f76a706b50 | Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium | Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-09-23 16:35:49 f516dc7a-4543-4d40-aad6-98f76a706b50 |
|
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change | 2022-09-23 16:35:49 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add | 2022-09-23 16:35:49 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 |
| Network | 711c24bb-7f18-4578-b192-81a6161e1f17 | Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection | Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-09-23 16:35:49 711c24bb-7f18-4578-b192-81a6161e1f17 |
|
| Monitoring | ba6881f9-ab93-498b-8bad-bb91b1d755bf | The legacy Log Analytics extension should not be installed on virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add | 2022-09-23 16:35:49 ba6881f9-ab93-498b-8bad-bb91b1d755bf |
|
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-23 16:35:49 Major (2.0.0 > 3.0.0) |
| Regulatory Compliance | 25a1f840-65d0-900a-43e4-bee253de04de | Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 25a1f840-65d0-900a-43e4-bee253de04de |
|
| Regulatory Compliance | e54901fe-42c2-7f3b-3c5f-327aa5320a69 | Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e54901fe-42c2-7f3b-3c5f-327aa5320a69 |
|
| App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Regulatory Compliance | e21f91d1-2803-0282-5f2d-26ebc4b170ef | Update organizational access agreements | CMA_0520 - Update organizational access agreements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e21f91d1-2803-0282-5f2d-26ebc4b170ef |
|
| Regulatory Compliance | 524e7136-9f6a-75ba-9089-501018151346 | Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 524e7136-9f6a-75ba-9089-501018151346 |
|
| Regulatory Compliance | d9af7f88-686a-5a8b-704b-eafdab278977 | Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d9af7f88-686a-5a8b-704b-eafdab278977 |
|
| Regulatory Compliance | 4e400494-53a5-5147-6f4d-718b539c7394 | Manage compliance activities | CMA_0358 - Manage compliance activities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4e400494-53a5-5147-6f4d-718b539c7394 |
|
| Regulatory Compliance | afd5d60a-48d2-8073-1ec2-6687e22f2ddd | Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 afd5d60a-48d2-8073-1ec2-6687e22f2ddd |
|
| Regulatory Compliance | c981fa70-2e58-8141-1457-e7f62ebc2ade | Document organizational access agreements | CMA_0192 - Document organizational access agreements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 c981fa70-2e58-8141-1457-e7f62ebc2ade |
|
| App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 |
| App Service | c285a320-8830-4665-9cc7-bbd05fc7c5c0 | App Service app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-19 17:41:40 c285a320-8830-4665-9cc7-bbd05fc7c5c0 |
|
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c |
|
| Regulatory Compliance | d200f199-69f4-95a6-90b0-37ff0cf1040c | Provide the capability to extend or limit auditing on customer-deployed resources | CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d200f199-69f4-95a6-90b0-37ff0cf1040c |
|
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 22a02c9a-49e4-5dc9-0d14-eb35ad717154 |
|
| Regulatory Compliance | 836f8406-3b8a-11bb-12cb-6c7fa0765668 | Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 836f8406-3b8a-11bb-12cb-6c7fa0765668 |
|
| Regulatory Compliance | 3153d9c0-2584-14d3-362d-578b01358aeb | Retain training records | CMA_0456 - Retain training records | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3153d9c0-2584-14d3-362d-578b01358aeb |
|
| Regulatory Compliance | 7a114735-a420-057d-a651-9a73cd0416ef | Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 7a114735-a420-057d-a651-9a73cd0416ef |
|
| Regulatory Compliance | cb8841d4-9d13-7292-1d06-ba4d68384681 | Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 cb8841d4-9d13-7292-1d06-ba4d68384681 |
|
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f801d58e-5659-9a4a-6e8d-02c9334732e5 |
|
| App Service | a096cbd0-4693-432f-9374-682f485f23f3 | Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 a096cbd0-4693-432f-9374-682f485f23f3 |
| App Service | a1a22235-dd10-4062-bd55-7d62778f41b0 | Function app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-19 17:41:40 a1a22235-dd10-4062-bd55-7d62778f41b0 |
|
| Regulatory Compliance | 2f204e72-1896-3bf8-75c9-9128b8683a36 | Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 2f204e72-1896-3bf8-75c9-9128b8683a36 |
|
| App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d |
| Regulatory Compliance | 6f311b49-9b0d-8c67-3d6e-db80ae528173 | Bind authenticators and identities dynamically | CMA_0035 - Bind authenticators and identities dynamically | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 6f311b49-9b0d-8c67-3d6e-db80ae528173 |
|
| App Service | 2f7c08c2-f671-4282-9fdb-597b6ef2c10d | App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default Audit Allowed Audit, Disabled |
add | 2022-09-19 17:41:40 2f7c08c2-f671-4282-9fdb-597b6ef2c10d |
|
| Regulatory Compliance | c6fe3856-4635-36b6-983c-070da12a953b | Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 c6fe3856-4635-36b6-983c-070da12a953b |
|
| Regulatory Compliance | 8f835d6a-4d13-9a9c-37dc-176cebd37fda | Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 8f835d6a-4d13-9a9c-37dc-176cebd37fda |
|
| Regulatory Compliance | 464a7d7a-2358-4869-0b49-6d582ca21292 | Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 464a7d7a-2358-4869-0b49-6d582ca21292 |
|
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change | 2022-09-19 17:41:40 Major (3.0.0 > 4.0.0) |
|
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (8.0.0 > 9.0.0) |
|
| Regulatory Compliance | 318b2bd9-9c39-9f8b-46a7-048401f33476 | Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 318b2bd9-9c39-9f8b-46a7-048401f33476 |
|
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (7.0.1 > 8.0.0) |
|
| Regulatory Compliance | 90a156a6-49ed-18d1-1052-69aac27c05cd | Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 90a156a6-49ed-18d1-1052-69aac27c05cd |
|
| Regulatory Compliance | 04837a26-2601-1982-3da7-bf463e6408f4 | Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 04837a26-2601-1982-3da7-bf463e6408f4 |
|
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (8.0.0 > 9.0.0) |
|
| Regulatory Compliance | d91558ce-5a5c-551b-8fbb-83f793255e09 | Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d91558ce-5a5c-551b-8fbb-83f793255e09 |
|
| Regulatory Compliance | 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 | Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 |
|
| Regulatory Compliance | 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 | Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 |
|
| Regulatory Compliance | c6aeb800-0b19-944d-92dc-59b893722329 | Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 c6aeb800-0b19-944d-92dc-59b893722329 |
|
| Regulatory Compliance | b7306e73-0494-83a2-31f5-280e934a8f70 | Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b7306e73-0494-83a2-31f5-280e934a8f70 |
|
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (1.1.0 > 2.0.0) |
|
| Regulatory Compliance | cbfa1bd0-714d-8d6f-0480-2ad6a53972df | Define and document government oversight | CMA_C1587 - Define and document government oversight | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 cbfa1bd0-714d-8d6f-0480-2ad6a53972df |
|
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (5.0.2 > 6.0.0) |
|
| Regulatory Compliance | 7fc1f0da-0050-19bb-3d75-81ae15940df6 | Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 7fc1f0da-0050-19bb-3d75-81ae15940df6 |
|
| Regulatory Compliance | 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 | Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 |
|
| Regulatory Compliance | 6baae474-434f-2e91-7163-a72df30c4847 | Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 6baae474-434f-2e91-7163-a72df30c4847 |
|
| Regulatory Compliance | 8e920169-739d-40b5-3f99-c4d855327bb2 | Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 8e920169-739d-40b5-3f99-c4d855327bb2 |
|
| Regulatory Compliance | 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 | Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 |
|
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
|
| Regulatory Compliance | aa305b4d-8c84-1754-0c74-dec004e66be0 | Develop contingency plan | CMA_C1244 - Develop contingency plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 aa305b4d-8c84-1754-0c74-dec004e66be0 |
|
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (3.0.1 > 4.0.0) |
|
| Regulatory Compliance | d7c1ecc3-2980-a079-1569-91aec8ac4a77 | Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d7c1ecc3-2980-a079-1569-91aec8ac4a77 |
|
| Regulatory Compliance | 94c842e3-8098-38f9-6d3f-8872b790527d | Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 94c842e3-8098-38f9-6d3f-8872b790527d |
|
| Regulatory Compliance | 898a5781-2254-5a37-34c7-d78ea7c20d55 | Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 898a5781-2254-5a37-34c7-d78ea7c20d55 |
|
| Regulatory Compliance | 09960521-759e-5d12-086f-4192a72a5e92 | Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 09960521-759e-5d12-086f-4192a72a5e92 |
|
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (6.0.2 > 7.0.0) |
|
| Regulatory Compliance | 3af53f59-979f-24a8-540f-d7cdbc366607 | Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3af53f59-979f-24a8-540f-d7cdbc366607 |
|
| Regulatory Compliance | f49925aa-9b11-76ae-10e2-6e973cc60f37 | Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f49925aa-9b11-76ae-10e2-6e973cc60f37 |
|
| Regulatory Compliance | a1334a65-2622-28ee-5067-9d7f5b915cc5 | Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a1334a65-2622-28ee-5067-9d7f5b915cc5 |
|
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
| Regulatory Compliance | a8df9c78-4044-98be-2c05-31a315ac8957 | Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a8df9c78-4044-98be-2c05-31a315ac8957 |
|
| Regulatory Compliance | 0471c6b7-1588-701c-2713-1fade73b75f6 | Display an explicit logout message | CMA_C1056 - Display an explicit logout message | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0471c6b7-1588-701c-2713-1fade73b75f6 |
|
| Regulatory Compliance | 037c0089-6606-2dab-49ad-437005b5035f | Identify incident response personnel | CMA_0301 - Identify incident response personnel | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 037c0089-6606-2dab-49ad-437005b5035f |
|
| Regulatory Compliance | b7897ddc-9716-2460-96f7-7757ad038cc4 | Assign risk designations | CMA_0016 - Assign risk designations | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b7897ddc-9716-2460-96f7-7757ad038cc4 |
|
| Regulatory Compliance | ba99d512-3baa-1c38-8b0b-ae16bbd34274 | Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ba99d512-3baa-1c38-8b0b-ae16bbd34274 |
|
| Regulatory Compliance | 396f465d-375e-57de-58ba-021adb008191 | Invalidate session identifiers at logout | CMA_C1661 - Invalidate session identifiers at logout | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 396f465d-375e-57de-58ba-021adb008191 |
|
| Regulatory Compliance | 55be3260-a7a2-3c06-7fe6-072d07525ab7 | Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 55be3260-a7a2-3c06-7fe6-072d07525ab7 |
|
| Regulatory Compliance | 96333008-988d-4add-549b-92b3a8c42063 | Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 96333008-988d-4add-549b-92b3a8c42063 |
|
| Regulatory Compliance | bfc540fe-376c-2eef-4355-121312fa4437 | Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 bfc540fe-376c-2eef-4355-121312fa4437 |
|
| Regulatory Compliance | e750ca06-1824-464a-2cf3-d0fa754d1cb4 | Establish a secure software development program | CMA_0259 - Establish a secure software development program | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e750ca06-1824-464a-2cf3-d0fa754d1cb4 |
|
| Regulatory Compliance | de077e7e-0cc8-65a6-6e08-9ab46c827b05 | Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 de077e7e-0cc8-65a6-6e08-9ab46c827b05 |
|
| Regulatory Compliance | b320aa42-33b4-53af-87ce-100091d48918 | Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b320aa42-33b4-53af-87ce-100091d48918 |
|
| Regulatory Compliance | b65c5d8e-9043-9612-2c17-65f231d763bb | Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b65c5d8e-9043-9612-2c17-65f231d763bb |
|
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (5.0.0 > 6.0.0) |
|
| Regulatory Compliance | 14a4fd0a-9100-1e12-1362-792014a28155 | Update contingency plan | CMA_C1248 - Update contingency plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 14a4fd0a-9100-1e12-1362-792014a28155 |
|
| Regulatory Compliance | 6de65dc4-8b4f-34b7-9290-eb137a2e2929 | Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 6de65dc4-8b4f-34b7-9290-eb137a2e2929 |
|
| Regulatory Compliance | adf517f3-6dcd-3546-9928-34777d0c277e | Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 adf517f3-6dcd-3546-9928-34777d0c277e |
|
| Regulatory Compliance | be1c34ab-295a-07a6-785c-36f63c1d223e | Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 be1c34ab-295a-07a6-785c-36f63c1d223e |
|
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (3.0.0 > 4.0.0) |
|
| Regulatory Compliance | 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f | Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f |
|
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Regulatory Compliance | 53fc1282-0ee3-2764-1319-e20143bb0ea5 | Review contingency plan | CMA_C1247 - Review contingency plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 53fc1282-0ee3-2764-1319-e20143bb0ea5 |
|
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
| Regulatory Compliance | 60442979-6333-85f0-84c5-b887bac67448 | Evaluate alternate processing site capabilities | CMA_C1266 - Evaluate alternate processing site capabilities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 60442979-6333-85f0-84c5-b887bac67448 |
|
| Regulatory Compliance | 1a2a03a4-9992-5788-5953-d8f6615306de | Govern policies and procedures | CMA_0292 - Govern policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1a2a03a4-9992-5788-5953-d8f6615306de |
|
| Regulatory Compliance | 2401b496-7f23-79b2-9f80-89bb5abf3d4a | Protect incident response plan | CMA_0405 - Protect incident response plan | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 2401b496-7f23-79b2-9f80-89bb5abf3d4a |
|
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (4.0.0 > 5.0.0) |
|
| Regulatory Compliance | 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 | Monitor account activity | CMA_0377 - Monitor account activity | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 |
|
| App Service | 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 | App Service app slots should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
add | 2022-09-19 17:41:40 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 |
|
| App Service | a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b | Configure App Service apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b |
| Regulatory Compliance | b262e1dd-08e9-41d4-963a-258909ad794b | Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b262e1dd-08e9-41d4-963a-258909ad794b |
|
| Regulatory Compliance | 77cc89bb-774f-48d7-8a84-fb8c322c3000 | Track software license usage | CMA_C1235 - Track software license usage | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 77cc89bb-774f-48d7-8a84-fb8c322c3000 |
|
| Regulatory Compliance | 00f12b6f-10d7-8117-9577-0f2b76488385 | Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 00f12b6f-10d7-8117-9577-0f2b76488385 |
|
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (4.0.1 > 5.0.0) |
|
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
| Regulatory Compliance | 0a412110-3874-9f22-187a-c7a81c8a6704 | Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0a412110-3874-9f22-187a-c7a81c8a6704 |
|
| Regulatory Compliance | 3a868d0c-538f-968b-0191-bddb44da5b75 | Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3a868d0c-538f-968b-0191-bddb44da5b75 |
|
| Regulatory Compliance | 085467a6-9679-5c65-584a-f55acefd0d43 | Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 085467a6-9679-5c65-584a-f55acefd0d43 |
|
| Regulatory Compliance | c8aa992d-76b7-7ca0-07b3-31a58d773fa9 | Employ automated training environment | CMA_C1357 - Employ automated training environment | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 c8aa992d-76b7-7ca0-07b3-31a58d773fa9 |
|
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default Audit Allowed Audit, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| App Service | 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 | Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
add | 2022-09-19 17:41:40 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 |
|
| Regulatory Compliance | 5bac5fb7-7735-357b-767d-02264bfe5c3b | Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 5bac5fb7-7735-357b-767d-02264bfe5c3b |
|
| Regulatory Compliance | dad1887d-161b-7b61-2e4d-5124a7b5724e | Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 dad1887d-161b-7b61-2e4d-5124a7b5724e |
|
| Regulatory Compliance | edcc36f1-511b-81e0-7125-abee29752fe7 | Manage availability and capacity | CMA_0356 - Manage availability and capacity | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 edcc36f1-511b-81e0-7125-abee29752fe7 |
|
| Regulatory Compliance | eb598832-4bcc-658d-4381-3ecbe17b9866 | Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 eb598832-4bcc-658d-4381-3ecbe17b9866 |
|
| Regulatory Compliance | ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab | Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab |
|
| Regulatory Compliance | ff136354-1c92-76dc-2dab-80fb7c6a9f1a | Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ff136354-1c92-76dc-2dab-80fb7c6a9f1a |
|
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Regulatory Compliance | 729c8708-2bec-093c-8427-2e87d2cd426d | Automate notification of employee termination | CMA_C1521 - Automate notification of employee termination | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 729c8708-2bec-093c-8427-2e87d2cd426d |
|
| Regulatory Compliance | 3eabed6d-1912-2d3c-858b-f438d08d0412 | Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3eabed6d-1912-2d3c-858b-f438d08d0412 |
|
| Regulatory Compliance | 171e377b-5224-4a97-1eaa-62a3b5231dac | Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 171e377b-5224-4a97-1eaa-62a3b5231dac |
|
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (4.0.1 > 5.0.0) |
|
| Regulatory Compliance | 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 | Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 |
|
| Regulatory Compliance | 22457e81-3ec6-5271-a786-c3ca284601dd | Isolate information spills | CMA_0346 - Isolate information spills | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 22457e81-3ec6-5271-a786-c3ca284601dd |
|
| Regulatory Compliance | ba02d0a0-566a-25dc-73f1-101c726a19c5 | Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ba02d0a0-566a-25dc-73f1-101c726a19c5 |
|
| Regulatory Compliance | f8a63511-66f1-503f-196d-d6217ee0823a | Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f8a63511-66f1-503f-196d-d6217ee0823a |
|
| Regulatory Compliance | 9c954fcf-6dd8-81f1-41b5-832ae5c62caf | Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 9c954fcf-6dd8-81f1-41b5-832ae5c62caf |
|
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (7.0.0 > 8.0.0) |
|
| Regulatory Compliance | d25cbded-121e-0ed6-1857-dc698c9095b1 | Take action in response to customer information | CMA_C1554 - Take action in response to customer information | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d25cbded-121e-0ed6-1857-dc698c9095b1 |
|
| Regulatory Compliance | f6794ab8-9a7d-3b24-76ab-265d3646232b | Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f6794ab8-9a7d-3b24-76ab-265d3646232b |
|
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (5.0.1 > 6.0.0) |
|
| Regulatory Compliance | df54d34f-65f3-39f1-103c-a0464b8615df | Manage transfers between standby and active system components | CMA_0371 - Manage transfers between standby and active system components | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 df54d34f-65f3-39f1-103c-a0464b8615df |
|
| Regulatory Compliance | dc7ec756-221c-33c8-0afe-c48e10e42321 | Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 dc7ec756-221c-33c8-0afe-c48e10e42321 |
|
| Regulatory Compliance | 75b9db50-7906-2351-98ae-0458218609e5 | Retain accounting of disclosures of information | CMA_C1819 - Retain accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 75b9db50-7906-2351-98ae-0458218609e5 |
|
| Regulatory Compliance | 08c11b48-8745-034d-1c1b-a144feec73b9 | Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 08c11b48-8745-034d-1c1b-a144feec73b9 |
|
| Regulatory Compliance | e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 | Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 |
|
| Regulatory Compliance | eff6e4a5-3efe-94dd-2ed1-25d56a019a82 | Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 eff6e4a5-3efe-94dd-2ed1-25d56a019a82 |
|
| Regulatory Compliance | bbb2e6d6-085f-5a35-a55d-e45daad38933 | Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 bbb2e6d6-085f-5a35-a55d-e45daad38933 |
|
| Regulatory Compliance | 44b71aa8-099d-8b97-1557-0e853ec38e0d | Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 44b71aa8-099d-8b97-1557-0e853ec38e0d |
|
| Regulatory Compliance | 56fb5173-3865-5a5d-5fad-ae33e53e1577 | Address information security issues | CMA_C1742 - Address information security issues | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 56fb5173-3865-5a5d-5fad-ae33e53e1577 |
|
| Regulatory Compliance | 70057208-70cc-7b31-3c3a-121af6bc1966 | Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 70057208-70cc-7b31-3c3a-121af6bc1966 |
|
| Regulatory Compliance | e7422f08-65b4-50e4-3779-d793156e0079 | Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e7422f08-65b4-50e4-3779-d793156e0079 |
|
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (4.0.0 > 5.0.0) |
|
| Regulatory Compliance | b269a749-705e-8bff-055a-147744675cdf | Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b269a749-705e-8bff-055a-147744675cdf |
|
| Regulatory Compliance | b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 | Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 |
|
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (5.0.1 > 7.0.0) |
|
| Regulatory Compliance | ff1efad2-6b09-54cc-01bf-d386c4d558a8 | Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ff1efad2-6b09-54cc-01bf-d386c4d558a8 |
|
| App Service | 08cf2974-d178-48a0-b26d-f6b8e555748b | Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 08cf2974-d178-48a0-b26d-f6b8e555748b |
| Regulatory Compliance | 69d90ee6-9f9f-262a-2038-d909fb4e5723 | Identify spilled information | CMA_0303 - Identify spilled information | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 69d90ee6-9f9f-262a-2038-d909fb4e5723 |
|
| Regulatory Compliance | 46ab2c5e-6654-1f58-8c83-e97a44f39308 | Identify external service providers | CMA_C1591 - Identify external service providers | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 46ab2c5e-6654-1f58-8c83-e97a44f39308 |
|
| Regulatory Compliance | 098dcde7-016a-06c3-0985-0daaf3301d3a | Distribute authenticators | CMA_0184 - Distribute authenticators | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 098dcde7-016a-06c3-0985-0daaf3301d3a |
|
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (3.0.1 > 4.0.0) |
|
| Regulatory Compliance | 68d2e478-3b19-23eb-1357-31b296547457 | Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 68d2e478-3b19-23eb-1357-31b296547457 |
|
| Regulatory Compliance | 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f | Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f |
|
| Regulatory Compliance | f30edfad-4e1d-1eef-27ee-9292d6d89842 | Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f30edfad-4e1d-1eef-27ee-9292d6d89842 |
|
| Regulatory Compliance | 834b7a4a-83ab-2188-1a26-9c5033d8173b | Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 834b7a4a-83ab-2188-1a26-9c5033d8173b |
|
| Regulatory Compliance | 13939f8c-4cd5-a6db-9af4-9dfec35e3722 | Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 13939f8c-4cd5-a6db-9af4-9dfec35e3722 |
|
| Regulatory Compliance | ca6d7878-3189-1833-4620-6c7254ed1607 | Obtain continuous monitoring plan for security controls | CMA_C1577 - Obtain continuous monitoring plan for security controls | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ca6d7878-3189-1833-4620-6c7254ed1607 |
|
| Regulatory Compliance | 03d550b4-34ee-03f4-515f-f2e2faf7a413 | Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 03d550b4-34ee-03f4-515f-f2e2faf7a413 |
|
| Regulatory Compliance | bb048641-6017-7272-7772-a008f285a520 | Develop spillage response procedures | CMA_0162 - Develop spillage response procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 bb048641-6017-7272-7772-a008f285a520 |
|
| Regulatory Compliance | 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 | Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 |
|
| Regulatory Compliance | 0f31d98d-5ce2-705b-4aa5-b4f6705110dd | Prepare alternate processing site for use as operational site | CMA_C1278 - Prepare alternate processing site for use as operational site | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0f31d98d-5ce2-705b-4aa5-b4f6705110dd |
|
| Regulatory Compliance | 279052a0-8238-694d-9661-bf649f951747 | Identify contaminated systems and components | CMA_0300 - Identify contaminated systems and components | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 279052a0-8238-694d-9661-bf649f951747 |
|
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (6.2.1 > 7.0.0) |
|
| Regulatory Compliance | 8b077bff-516f-3983-6c42-c86e9a11868b | Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 8b077bff-516f-3983-6c42-c86e9a11868b |
|
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default Audit Allowed Audit, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Regulatory Compliance | 015b4935-448a-8684-27c0-d13086356c33 | Implement a threat awareness program | CMA_C1758 - Implement a threat awareness program | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 015b4935-448a-8684-27c0-d13086356c33 |
|
| Regulatory Compliance | ab02bb73-4ce1-89dd-3905-d93042809ba0 | Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ab02bb73-4ce1-89dd-3905-d93042809ba0 |
|
| Regulatory Compliance | c7e8ddc1-14aa-1814-7fe1-aad1742b27da | Enforce expiration of cached authenticators | CMA_C1343 - Enforce expiration of cached authenticators | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 c7e8ddc1-14aa-1814-7fe1-aad1742b27da |
|
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (7.0.0 > 8.0.0) |
|
| App Service | cae7c12e-764b-4c87-841a-fdc6675d196f | App Service app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add | 2022-09-19 17:41:40 cae7c12e-764b-4c87-841a-fdc6675d196f |
|
| Regulatory Compliance | 22c16ae4-19d0-29cb-422f-cb44061180ee | Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 22c16ae4-19d0-29cb-422f-cb44061180ee |
|
| Regulatory Compliance | b4e19d22-8c0e-7cad-3219-c84c62dc250f | Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b4e19d22-8c0e-7cad-3219-c84c62dc250f |
|
| Regulatory Compliance | e9c60c37-65b0-2d72-6c3c-af66036203ae | Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e9c60c37-65b0-2d72-6c3c-af66036203ae |
|
| Regulatory Compliance | 311802f9-098d-0659-245a-94c5d47c0182 | Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 311802f9-098d-0659-245a-94c5d47c0182 |
|
| Regulatory Compliance | dd2523d5-2db3-642b-a1cf-83ac973b32c2 | Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 dd2523d5-2db3-642b-a1cf-83ac973b32c2 |
|
| Regulatory Compliance | 1fdf0b24-4043-3c55-357e-036985d50b52 | Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1fdf0b24-4043-3c55-357e-036985d50b52 |
|
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
| Regulatory Compliance | 178c8b7e-1b6e-4289-44dd-2f1526b678a1 | Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 178c8b7e-1b6e-4289-44dd-2f1526b678a1 |
|
| Regulatory Compliance | b9d45adb-471b-56a5-64d2-5b241f126174 | Automate privacy controls | CMA_C1817 - Automate privacy controls | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b9d45adb-471b-56a5-64d2-5b241f126174 |
|
| Regulatory Compliance | 84a01872-5318-049e-061e-d56734183e84 | Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 84a01872-5318-049e-061e-d56734183e84 |
|
| Regulatory Compliance | ca748dfe-3e28-1d18-4221-89aea30aa0a5 | Identify status of individual users | CMA_C1316 - Identify status of individual users | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ca748dfe-3e28-1d18-4221-89aea30aa0a5 |
|
| Regulatory Compliance | 4e45863d-9ea9-32b4-a204-2680bc6007a6 | Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4e45863d-9ea9-32b4-a204-2680bc6007a6 |
|
| Regulatory Compliance | 20762f1e-85fb-31b0-a600-e833633f10fe | Reveal error messages | CMA_C1725 - Reveal error messages | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 20762f1e-85fb-31b0-a600-e833633f10fe |
|
| Regulatory Compliance | d48a6f19-a284-6fc6-0623-3367a74d3f50 | Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d48a6f19-a284-6fc6-0623-3367a74d3f50 |
|
| Regulatory Compliance | 75b42dcf-7840-1271-260b-852273d7906e | Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 75b42dcf-7840-1271-260b-852273d7906e |
|
| Regulatory Compliance | 98e33927-8d7f-6d5f-44f5-2469b40b7215 | Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 98e33927-8d7f-6d5f-44f5-2469b40b7215 |
|
| Regulatory Compliance | b544f797-a73b-1be3-6d01-6b1a085376bc | Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b544f797-a73b-1be3-6d01-6b1a085376bc |
|
| Regulatory Compliance | 59f7feff-02aa-6539-2cf7-bea75b762140 | Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 59f7feff-02aa-6539-2cf7-bea75b762140 |
|
| Regulatory Compliance | 28aa060e-25c7-6121-05d8-a846f11433df | Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 28aa060e-25c7-6121-05d8-a846f11433df |
|
| Regulatory Compliance | 2af4640d-11a6-a64b-5ceb-a468f4341c0c | Define and enforce inactivity log policy | CMA_C1017 - Define and enforce inactivity log policy | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 2af4640d-11a6-a64b-5ceb-a468f4341c0c |
|
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
|
| Regulatory Compliance | 5269d7e4-3768-501d-7e46-66c56c15622c | Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 5269d7e4-3768-501d-7e46-66c56c15622c |
|
| App Service | 25a5046c-c423-4805-9235-e844ae9ef49b | Configure Function apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add | 2022-09-19 17:41:40 25a5046c-c423-4805-9235-e844ae9ef49b |
| Regulatory Compliance | dd6d00a8-701a-5935-a22b-c7b9c0c698b2 | Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 dd6d00a8-701a-5935-a22b-c7b9c0c698b2 |
|
| Regulatory Compliance | f7eb1d0b-6d4f-2d59-1591-7563e11a9313 | Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f7eb1d0b-6d4f-2d59-1591-7563e11a9313 |
|
| App Service | fd34e936-069e-4fe5-bac6-f7c9824caab6 | App Service app slots should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
add | 2022-09-19 17:41:40 fd34e936-069e-4fe5-bac6-f7c9824caab6 |
|
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (6.0.1 > 7.0.0) |
|
| Regulatory Compliance | e4054c0e-1184-09e6-4c5e-701e0bc90f81 | Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e4054c0e-1184-09e6-4c5e-701e0bc90f81 |
|
| Regulatory Compliance | a90c4d44-7fac-8e02-6d5b-0d92046b20e6 | Automate flaw remediation | CMA_0027 - Automate flaw remediation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a90c4d44-7fac-8e02-6d5b-0d92046b20e6 |
|
| Regulatory Compliance | db580551-0b3c-4ea1-8a4c-4cdb5feb340f | Provide the logout capability | CMA_C1055 - Provide the logout capability | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 db580551-0b3c-4ea1-8a4c-4cdb5feb340f |
|
| Regulatory Compliance | f6da5cca-5795-60ff-49e1-4972567815fe | Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f6da5cca-5795-60ff-49e1-4972567815fe |
|
| Regulatory Compliance | b33d61c1-7463-7025-0ec0-a47585b59147 | Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b33d61c1-7463-7025-0ec0-a47585b59147 |
|
| Regulatory Compliance | 3054c74b-9b45-2581-56cf-053a1a716c39 | Accept assessment results | CMA_C1150 - Accept assessment results | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3054c74b-9b45-2581-56cf-053a1a716c39 |
|
| Regulatory Compliance | 676c3c35-3c36-612c-9523-36d266a65000 | Require developers to provide training | CMA_C1611 - Require developers to provide training | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 676c3c35-3c36-612c-9523-36d266a65000 |
|
| Regulatory Compliance | 20012034-96f0-85c2-4a86-1ae1eb457802 | Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 20012034-96f0-85c2-4a86-1ae1eb457802 |
|
| Regulatory Compliance | d9edcea6-6cb8-0266-a48c-2061fbac4310 | Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d9edcea6-6cb8-0266-a48c-2061fbac4310 |
|
| Regulatory Compliance | 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 | Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 |
|
| Regulatory Compliance | a30bd8e9-7064-312a-0e1f-e1b485d59f6e | Review exploit protection events | CMA_0472 - Review exploit protection events | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a30bd8e9-7064-312a-0e1f-e1b485d59f6e |
|
| Regulatory Compliance | 449ebb52-945b-36e5-3446-af6f33770f8f | Update the security authorization | CMA_C1160 - Update the security authorization | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 449ebb52-945b-36e5-3446-af6f33770f8f |
|
| Regulatory Compliance | eda0cbb7-6043-05bf-645b-67411f1a59b3 | Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 eda0cbb7-6043-05bf-645b-67411f1a59b3 |
|
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change | 2022-09-19 17:41:40 Major (1.0.0 > 2.0.0) |
| Regulatory Compliance | 95eb7d09-9937-5df9-11d9-20317e3f60df | Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 95eb7d09-9937-5df9-11d9-20317e3f60df |
|
| Regulatory Compliance | 81b6267b-97a7-9aa5-51ee-d2584a160424 | Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 81b6267b-97a7-9aa5-51ee-d2584a160424 |
|
| Regulatory Compliance | 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 | Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 |
|
| Regulatory Compliance | 6a379d74-903b-244a-4c44-838728bea6b0 | Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 6a379d74-903b-244a-4c44-838728bea6b0 |
|
| Regulatory Compliance | 16c54e01-9e65-7524-7c33-beda48a75779 | Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 16c54e01-9e65-7524-7c33-beda48a75779 |
|
| Regulatory Compliance | 06af77de-02ca-0f3e-838a-a9420fe466f5 | Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 06af77de-02ca-0f3e-838a-a9420fe466f5 |
|
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Regulatory Compliance | 57adc919-9dca-817c-8197-64d812070316 | Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 57adc919-9dca-817c-8197-64d812070316 |
|
| Regulatory Compliance | cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 | Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 |
|
| Regulatory Compliance | ced291b8-1d3d-7e27-40cf-829e9dd523c8 | Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ced291b8-1d3d-7e27-40cf-829e9dd523c8 |
|
| Regulatory Compliance | e29a8f1b-149b-2fa3-969d-ebee1baa9472 | Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e29a8f1b-149b-2fa3-969d-ebee1baa9472 |
|
| Regulatory Compliance | f131c8c5-a54a-4888-1efc-158928924bc1 | Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 f131c8c5-a54a-4888-1efc-158928924bc1 |
|
| Regulatory Compliance | ef5a7059-6651-73b1-18b3-75b1b79c1565 | Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ef5a7059-6651-73b1-18b3-75b1b79c1565 |
|
| Regulatory Compliance | 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb | Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb |
|
| Regulatory Compliance | a28323fe-276d-3787-32d2-cef6395764c4 | Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a28323fe-276d-3787-32d2-cef6395764c4 |
|
| Regulatory Compliance | 3eecf628-a1c8-1b48-1b5c-7ca781e97970 | Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3eecf628-a1c8-1b48-1b5c-7ca781e97970 |
|
| Regulatory Compliance | 4c385143-09fd-3a34-790c-a5fd9ec77ddc | Provide role-based security training | CMA_C1094 - Provide role-based security training | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4c385143-09fd-3a34-790c-a5fd9ec77ddc |
|
| Regulatory Compliance | de251b09-4a5e-1204-4bef-62ac58d47999 | Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 de251b09-4a5e-1204-4bef-62ac58d47999 |
|
| Regulatory Compliance | b470a37a-7a47-3792-34dd-7a793140702e | Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b470a37a-7a47-3792-34dd-7a793140702e |
|
| Regulatory Compliance | 27ce30dd-3d56-8b54-6144-e26d9a37a541 | Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 27ce30dd-3d56-8b54-6144-e26d9a37a541 |
|
| Regulatory Compliance | 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 | Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 |
|
| Regulatory Compliance | 4b8fd5da-609b-33bf-9724-1c946285a14c | Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4b8fd5da-609b-33bf-9724-1c946285a14c |
|
| Regulatory Compliance | cdcb825f-a0fb-31f9-29c1-ab566718499a | Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 cdcb825f-a0fb-31f9-29c1-ab566718499a |
|
| Regulatory Compliance | 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 | Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 |
|
| Regulatory Compliance | e1379836-3492-6395-451d-2f5062e14136 | Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e1379836-3492-6395-451d-2f5062e14136 |
|
| Regulatory Compliance | db8b35d6-8adb-3f51-44ff-c648ab5b1530 | Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 db8b35d6-8adb-3f51-44ff-c648ab5b1530 |
|
| Regulatory Compliance | d136ae80-54dd-321c-98b4-17acf4af2169 | Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 d136ae80-54dd-321c-98b4-17acf4af2169 |
|
| Regulatory Compliance | 39999038-9ef1-602a-158c-ce2367185230 | Define performance metrics | CMA_0124 - Define performance metrics | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 39999038-9ef1-602a-158c-ce2367185230 |
|
| Regulatory Compliance | eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 | Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 |
|
| Regulatory Compliance | 92b94485-1c49-3350-9ada-dffe94f08e87 | Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 92b94485-1c49-3350-9ada-dffe94f08e87 |
|
| Regulatory Compliance | 4edaca8c-0912-1ac5-9eaa-6a1057740fae | Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4edaca8c-0912-1ac5-9eaa-6a1057740fae |
|
| Regulatory Compliance | 0065241c-72e9-3b2c-556f-75de66332a94 | Establish parameters for searching secret authenticators and verifiers | CMA_0274 - Establish parameters for searching secret authenticators and verifiers | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 0065241c-72e9-3b2c-556f-75de66332a94 |
|
| Regulatory Compliance | a44c9fba-43f8-4b7b-7ee6-db52c96b4366 | Facilitate information sharing | CMA_0284 - Facilitate information sharing | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 a44c9fba-43f8-4b7b-7ee6-db52c96b4366 |
|
| Regulatory Compliance | 3f1216b0-30ee-1ac9-3899-63eb744e85f5 | Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 3f1216b0-30ee-1ac9-3899-63eb744e85f5 |
|
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change | 2022-09-19 17:41:40 Major (1.0.2 > 2.0.0) |
|
| Regulatory Compliance | 2067b904-9552-3259-0cdd-84468e284b7c | Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 2067b904-9552-3259-0cdd-84468e284b7c |
|
| Regulatory Compliance | b8587fce-138f-86e8-33a3-c60768bf1da6 | Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 b8587fce-138f-86e8-33a3-c60768bf1da6 |
|
| Regulatory Compliance | 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 | Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 |
|
| Regulatory Compliance | 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 | Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 |
|
| Regulatory Compliance | 8b333332-6efd-7c0d-5a9f-d1eb95105214 | Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 8b333332-6efd-7c0d-5a9f-d1eb95105214 |
|
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change | 2022-09-19 17:41:40 Major (2.0.0 > 3.0.0) |
|
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (5.0.1 > 6.0.0) |
|
| Regulatory Compliance | e7589f4e-1e8b-72c2-3692-1e14d7f3699f | Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 e7589f4e-1e8b-72c2-3692-1e14d7f3699f |
|
| Regulatory Compliance | 7ded6497-815d-6506-242b-e043e0273928 | Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 7ded6497-815d-6506-242b-e043e0273928 |
|
| Regulatory Compliance | ffea18d9-13de-6505-37f3-4c1f88070ad7 | Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 ffea18d9-13de-6505-37f3-4c1f88070ad7 |
|
| App Service | cf9ca02d-383e-4506-a421-258cc1a5300d | Function app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default Audit Allowed Audit, Disabled |
add | 2022-09-19 17:41:40 cf9ca02d-383e-4506-a421-258cc1a5300d |
|
| Regulatory Compliance | 611ebc63-8600-50b6-a0e3-fef272457132 | Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 611ebc63-8600-50b6-a0e3-fef272457132 |
|
| Regulatory Compliance | 4012c2b7-4e0e-a7ab-1688-4aab43f14420 | Map authenticated identities to individuals | CMA_0372 - Map authenticated identities to individuals | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 4012c2b7-4e0e-a7ab-1688-4aab43f14420 |
|
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change | 2022-09-19 17:41:40 Major (4.0.1 > 5.0.0) |
|
| Regulatory Compliance | 245fe58b-96f8-9f1e-48c5-7f49903f66fd | Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 245fe58b-96f8-9f1e-48c5-7f49903f66fd |
|
| Regulatory Compliance | 33d34fac-56a8-1c0f-0636-3ed94892a709 | Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Default Manual Allowed Manual, Disabled |
add | 2022-09-19 17:41:40 33d34fac-56a8-1c0f-0636-3ed94892a709 |
|
| App Service | 13bcff5d-f0eb-4ce7-913e-83ad6300376b | Function app slots should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Def |