Prowler (baseline) 5.13.0
Test results for this specific product, vendor, and version combination
| Vendor | Prowler |
| Product | Prowler (baseline) |
| Version | 5.13.0 |
Test Summary
Aggregate summary of all tests for this configuration result
| Resources In Configuration | 17 |
| Count of Tests | 38 |
| Passing Tests | 12 |
| Failing Tests | 26 |
| Catalogs Tested |
Control Catalog Summary
Summary of test results grouped by control catalog and resource
| Control Catalog | Resources | Total Tests | Passing | Failing | Tested Requirements | Missing Requirements |
|---|---|---|---|---|---|---|
| CCC.AuditLog | Diagnostic SettingsMonitor | 12 | 0 | 12 | ||
| CCC.Build | nsg-lee8 | 4 | 4 | 0 | ||
| CCC.CntrReg | Containers | 1 | 0 | 1 | ||
| CCC.Core | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...Diagnostic SettingsMonitorNetwork WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_westu...nsg-lee8 | 23 | 8 | 15 | CCC.Core.CN01.AR01CCC.Core.CN01.AR03CCC.Core.CN01.AR07CCC.Core.CN01.AR08CCC.Core.CN02.AR01CCC.Core.CN03.AR01CCC.Core.CN03.AR02CCC.Core.CN03.AR03CCC.Core.CN03.AR04CCC.Core.CN06.AR02CCC.Core.CN07.AR01CCC.Core.CN08.AR01CCC.Core.CN08.AR02CCC.Core.CN10.AR01CCC.Core.CN11.AR01CCC.Core.CN11.AR02CCC.Core.CN11.AR03CCC.Core.CN11.AR04CCC.Core.CN11.AR05CCC.Core.CN11.AR06CCC.Core.CN13.AR01CCC.Core.CN13.AR02CCC.Core.CN13.AR03CCC.Core.CN14.AR01CCC.Core.CN14.AR02 | |
| CCC.DataWar | psql-e9rnpsql-rk6xpsql-rtacpsql-tumw | 4 | 4 | 0 | ||
| CCC.GenAI | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9... | 4 | 4 | 0 | ||
| CCC.KeyMgmt | Diagnostic SettingsMonitor | 6 | 0 | 6 | ||
| CCC.LB | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...Diagnostic SettingsMonitorNetwork WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_westu... | 15 | 4 | 11 | ||
| CCC.Logging | AppInsightsDiagnostic SettingsMonitorNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_westu...psql-e9rnpsql-rk6xpsql-rtacpsql-tumw | 24 | 0 | 24 | ||
| CCC.MLDE | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9...nsg-lee8 | 8 | 8 | 0 | ||
| CCC.Monitor | Diagnostic SettingsMonitor | 10 | 0 | 10 | ||
| CCC.ObjStor | Diagnostic SettingsMonitor | 2 | 0 | 2 | ||
| CCC.Vector | 083c1758-89d9-4b12-8...154eadeb-e375-4263-b...1b4a98ae-5221-4850-a...2c61de5e-5cbb-42b9-9... | 4 | 4 | 0 | ||
| CCC.VPC | Network WatcherNetworkWatcher_centr...NetworkWatcher_south...NetworkWatcher_westu... | 7 | 0 | 7 |
Test Mapping Summary
Summary of test mappings showing how event codes map to test requirements
| Control Catalog | Test Requirement | Mapped Tests (Event Code | Total | Passing | Failing) |
|---|---|---|
| CCC.AuditLog | CCC.AuditLog.CN02.AR01 When a manual action is performed to generate each audit log type,
then the corresponding audit log type MUST be generated and recorded.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN03.AR01 When an attempt is made to disable a log source, then an alert MUST be generated.
| monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN03.AR02 When an attempt is made to alter the retention or object lock status
of an external data log source or bucket, then an alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_policy_assignment101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN04.AR01 When audit log buckets are created then verify that server access
logging MUST be enabled for the audit log bucket,
with logs delivered to a separate, secure logging bucket.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists202 |
| CCC.AuditLog | CCC.AuditLog.CN05.AR01 When audit logs are exported, then audit logs MUST be present in the configured data location.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN06.AR01 When the retention policy is applied, then data MUST
be automatically deleted after the configured number of days.
| monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN08.AR01 When an attempt is made to delete data before the object
lock period expires, then the deletion MUST be denied.
| monitor_diagnostic_settings_exists101 |
| CCC.AuditLog | CCC.AuditLog.CN09.AR01 When restricted fields are accessed by unauthorized users, then those fields MUST remain masked.
| monitor_diagnostic_settings_exists101 |
| CCC.Build | CCC.Build.CN03.AR01 Attempt to access the build environment from an external network and verify that access is denied.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.CntrReg | CCC.CntrReg.CN01.AR01 Attempt to push an artifact with known vulnerabilities to the registry
and observe if it is flagged or rejected by the vulnerability scanning process.
| defender_container_images_scan_enabled101 |
| CCC.Core | CCC.Core.CN01.AR02 When a port is exposed for SSH network traffic, all traffic MUST
include a SSH handshake AND be encrypted using SSHv2 or higher.
| network_ssh_internet_access_restricted110 |
| CCC.Core | CCC.Core.CN04.AR01 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST log the client
identity, time, and result of the attempt.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Core | CCC.Core.CN04.AR02 When any attempt is made to modify data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Core | CCC.Core.CN04.AR03 When any attempt is made to read data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Core | CCC.Core.CN05.AR01 When an attempt is made to modify data on the service or a child
resource, the service MUST block requests from unauthorized
entities.
| iam_role_user_access_admin_restricted440 |
| CCC.Core | CCC.Core.CN05.AR02 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST refuse requests
from unauthorized entities.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.Core | CCC.Core.CN05.AR03 When administrative access or configuration change is attempted on
the service or a child resource in a multi-tenant environment, the
service MUST refuse requests across tenant boundaries unless the
origin is explicitly included in a pre-approved allowlist.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.Core | CCC.Core.CN05.AR04 When data is requested from outside the trust perimeter, the
service MUST refuse requests from unauthorized entities.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.Core | CCC.Core.CN05.AR05 When any request is made from outside the trust perimeter,
the service MUST NOT provide any response that may indicate the
service exists.
| iam_role_user_access_admin_restricted440 network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.Core | CCC.Core.CN05.AR06 When any request is made to the service or a child resource, the
service MUST refuse requests from unauthorized entities.
| iam_role_user_access_admin_restricted440 |
| CCC.Core | CCC.Core.CN06.AR01 When the service is running, its region and availability zone MUST
be included in a list of explicitly trusted or approved locations
within the trust perimeter.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 network_watcher_enabled101 |
| CCC.Core | CCC.Core.CN07.AR02 When enumeration activities are detected, the service MUST log the
client identity, time, and nature of the activity.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Core | CCC.Core.CN09.AR01 When the service is operational, its logs and any child resource
logs MUST NOT be accessible from the resource they record access
to.
| monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Core | CCC.Core.CN09.AR02 When the service is operational, disabling the logs for the service
or its child resources MUST NOT be possible without also disabling
the corresponding resource.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Core | CCC.Core.CN09.AR03 When the service is operational, any attempt to redirect logs for
the service or its child resources MUST NOT be possible without
halting operation of the corresponding resource and publishing
corresponding events to monitored channels.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.DataWar | CCC.DataWar.CN03.AR01 Attempt to query data rows that the user should not have access to and verify
that access is denied or data is not returned.
| postgresql_flexible_server_allow_access_services_disabled440 |
| CCC.GenAI | CCC.GenAI.CN06.AR01 When an LLM invokes an external tool (e.g., an API, a plugin),
then the tool MUST operate with the least privileges required
for performing its intended functionality.
| iam_role_user_access_admin_restricted440 |
| CCC.KeyMgmt | CCC.KeyMgmt.CN01.AR01 When a key version is scheduled for deletion or disabled, an
alert MUST be generated within five minutes.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.LB | CCC.LB.CN01.AR02 When throttling is invoked, the load balancer MUST
record the event in the access log within 5 minutes
for alerting and trend analysis.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 network_watcher_enabled101 |
| CCC.LB | CCC.LB.CN04.AR01 When routing weights change, the request MUST originate
from an explicitly defined and trusted identity and MUST
be logged.
| iam_role_user_access_admin_restricted440 monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_diagnostic_settings_exists101 |
| CCC.LB | CCC.LB.CN05.AR01 When stickiness is enabled, session cookies MUST expire
within 30 minutes of inactivity.
| iam_role_user_access_admin_restricted440 |
| CCC.LB | CCC.LB.CN06.AR01 When more than 10 percent of targets change from healthy to
unhealthy within five minutes, an alert MUST be issued.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 network_watcher_enabled101 |
| CCC.LB | CCC.LB.CN09.AR01 When an API call originates outside the approved CIDR
set, the request MUST be denied.
| iam_role_user_access_admin_restricted440 |
| CCC.Logging | CCC.Logging.CN01.AR01 When a new cloud account is created, provider-level audit and network flow logging MUST be
enabled by default and directed to the central sink.
| appinsights_ensure_is_configured101 monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Logging | CCC.Logging.CN01.AR02 When a new cloud compute resource is deployed, it MUST be configured to forward all relevant
logs (e.g., OS, application, service logs) to the central log sink.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 network_flow_log_captured_sent303 |
| CCC.Logging | CCC.Logging.CN02.AR01 When a new log bucket or stream is created, its retention policy MUST be configured
in accordance with organisation's data retention policy.
| network_flow_log_more_than_90_days303 |
| CCC.Logging | CCC.Logging.CN02.AR02 When a query is performed to retrieve log events older than the number of days defined
in the organisation's data retention policy, it MUST return an empty result.
| network_flow_log_more_than_90_days303 postgresql_flexible_server_log_retention_days_greater_3404 |
| CCC.Logging | CCC.Logging.CN05.AR01 When a log storage bucket is created, the bucket's access control settings MUST
explicitly deny public read and write access.
| monitor_diagnostic_settings_exists101 |
| CCC.Logging | CCC.Logging.CN05.AR02 When the URL of a log storage bucket's object is accessed publicly, the action MUST be denied
by bucket policy.
| monitor_diagnostic_settings_exists101 |
| CCC.Logging | CCC.Logging.CN07.AR01 When an audit log event is recorded that corresponds to a modification of the logging service
configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule,
an alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_policy_assignment101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_delete_sqlserver_fr101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.MLDE | CCC.MLDE.CN01.AR01 Verify that only authorized users can access MLDE resources,
and that access modes are properly defined and enforced.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN03.AR01 Verify that root access is disabled on MLDE instances containing sensitive data.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN03.AR02 For MLDE instances without sensitive data, ensure that root access is only
enabled when necessary and properly authorized.
| iam_role_user_access_admin_restricted440 |
| CCC.MLDE | CCC.MLDE.CN07.AR01 Verify that MLDE instances containing sensitive data cannot be accessed via public IP addresses.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.MLDE | CCC.MLDE.CN07.AR02 For MLDE instances without sensitive data requiring public access,
ensure that appropriate security controls are in place and access is approved.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.MLDE | CCC.MLDE.CN08.AR01 Verify that MLDE instances containing sensitive data can only be deployed in
approved virtual networks with appropriate security controls.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.MLDE | CCC.MLDE.CN08.AR02 Ensure that MLDE instances without sensitive data are deployed in
networks that meet organizational security standards.
| network_http_internet_access_restricted110 network_rdp_internet_access_restricted110 network_ssh_internet_access_restricted110 network_udp_internet_access_restricted110 |
| CCC.Monitor | CCC.Monitor.CN01.AR01 When an External Monitoring system exceeds the anticipated rate of monitoring checks then
Rate Limiting MUST be applied and an Audit Alert MUST be generated.
| monitor_alert_create_policy_assignment101 monitor_alert_create_update_nsg101 monitor_alert_create_update_public_ip_address_rule101 monitor_alert_create_update_security_solution101 monitor_alert_create_update_sqlserver_fr101 monitor_alert_delete_nsg101 monitor_alert_delete_public_ip_address_rule101 monitor_alert_delete_security_solution101 monitor_alert_service_health_exists101 monitor_diagnostic_settings_exists101 |
| CCC.ObjStor | CCC.ObjStor.CN06.AR01 When an object storage bucket is accessed, the service MUST store
access logs in a separate data store.
| monitor_diagnostic_setting_with_appropriate_categories101 monitor_diagnostic_settings_exists101 |
| CCC.Vector | CCC.Vector.CN02.AR01 When an index lifecycle event is triggered, the service MUST
verify that the actor has explicit permissions for the operation type.
| iam_role_user_access_admin_restricted440 |
| CCC.VPC | CCC.VPC.CN04.AR01 When any network traffic goes to or from an interface in the VPC,
the service MUST capture and log all relevant information.
| network_flow_log_captured_sent303 network_flow_log_more_than_90_days303 network_watcher_enabled101 |
Resource Summary
Summary of all resources mentioned in OCSF results
| Resource Name | Resource Type | Control Catalogs | Total Tests | Passing | Failing |
|---|---|---|---|---|---|
083c1758-89d9-4b12-8005-48e7e359dc4f | AzureIAMRoleassignment | 1 | 1 | 0 | |
154eadeb-e375-4263-b4bd-4a2a2237ecd2 | AzureIAMRoleassignment | 1 | 1 | 0 | |
1b4a98ae-5221-4850-a761-4f9176407028 | AzureIAMRoleassignment | 1 | 1 | 0 | |
2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb | AzureIAMRoleassignment | 1 | 1 | 0 | |
AppInsights | Microsoft.Insights/components | 1 | 0 | 1 | |
Bastion Host | Network | No CCC catalogs | 1 | 0 | 1 |
Containers | Microsoft.Security | 1 | 0 | 1 | |
Containers | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
default | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan App Services | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan ARM | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Cosmos DB | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan DNS | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan KeyVaults | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Open-Source Relational Databases | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Servers | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan SQL Server VMs | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Defender plan Storage Accounts | AzureDefenderPlan | No CCC catalogs | 1 | 0 | 1 |
Diagnostic Settings | Monitor | 1 | 0 | 1 | |
IoT Hub Defender | DefenderIoT | No CCC catalogs | 1 | 0 | 1 |
MCAS | DefenderSettings | No CCC catalogs | 1 | 1 | 0 |
Monitor | Monitor | 12 | 0 | 12 | |
Network Watcher | Network | 1 | 0 | 1 | |
NetworkWatcher_centralindia | Network | 2 | 0 | 2 | |
NetworkWatcher_southcentralus | Network | 2 | 0 | 2 | |
NetworkWatcher_westus2 | Network | 2 | 0 | 2 | |
nsg-lee8 | Network | 4 | 4 | 0 | |
psql-e9rn | PostgreSQL | 7 | 5 | 2 | |
psql-rk6x | PostgreSQL | 7 | 5 | 2 | |
psql-rtac | PostgreSQL | 7 | 5 | 2 | |
psql-tumw | PostgreSQL | 7 | 5 | 2 | |
SecurityCenterBuiltIn | Microsoft.Authorization/policyAssignments | No CCC catalogs | 1 | 1 | 0 |
SqlServers | AzureDefenderPlan | No CCC catalogs | 2 | 0 | 2 |
WDATP | DefenderSettings | No CCC catalogs | 1 | 1 | 0 |
Test Results
OCSF test results filtered for entries with CCC compliance mappings
| Status | Finding | Resource Name | Resource Type | Message | Test Requirements |
|---|---|---|---|---|---|
| FAIL | Ensure Application Insights are Configured. There are no AppInsight configured in subscription Azure subscription 1. | AppInsights | Microsoft.Insights/components | There are no AppInsight configured in subscription Azure subscription 1. | |
| FAIL | Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider Container image scan is disabled in subscription Azure subscription 1. | Containers | Microsoft.Security | Container image scan is disabled in subscription Azure subscription 1. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 1b4a98ae-5221-4850-a761-4f9176407028 in subscription Azure subscription 1 does not grant User Access Administrator role. | 1b4a98ae-5221-4850-a761-4f9176407028 | AzureIAMRoleassignment | Role assignment 1b4a98ae-5221-4850-a761-4f9176407028 in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 083c1758-89d9-4b12-8005-48e7e359dc4f in subscription Azure subscription 1 does not grant User Access Administrator role. | 083c1758-89d9-4b12-8005-48e7e359dc4f | AzureIAMRoleassignment | Role assignment 083c1758-89d9-4b12-8005-48e7e359dc4f in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb in subscription Azure subscription 1 does not grant User Access Administrator role. | 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb | AzureIAMRoleassignment | Role assignment 2c61de5e-5cbb-42b9-9f2a-9dd930efe3fb in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| PASS | Ensure 'User Access Administrator' role is restricted Role assignment 154eadeb-e375-4263-b4bd-4a2a2237ecd2 in subscription Azure subscription 1 does not grant User Access Administrator role. | 154eadeb-e375-4263-b4bd-4a2a2237ecd2 | AzureIAMRoleassignment | Role assignment 154eadeb-e375-4263-b4bd-4a2a2237ecd2 in subscription Azure subscription 1 does not grant User Access Administrator role. | |
| FAIL | Ensure that Activity Log Alert exists for Create Policy Assignment There is not an alert for creating Policy Assignments in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating Policy Assignments in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Network Security Group There is not an alert for creating/updating Network Security Groups in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Network Security Groups in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule There is not an alert for creating/updating Public IP address rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Public IP address rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update Security Solution There is not an alert for creating/updating Security Solution in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating Security Solution in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule There is not an alert for creating/updating SQL Server firewall rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for creating/updating SQL Server firewall rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Network Security Group There is not an alert for deleting Network Security Groups in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting Network Security Groups in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Policy Assignment There is not an alert for deleting policy assignment in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting policy assignment in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Public IP Address rule There is not an alert for deleting public IP address rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting public IP address rule in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete Security Solution There is not an alert for deleting Security Solution in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting Security Solution in subscription Azure subscription 1. | |
| FAIL | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule There is not an alert for deleting SQL Server firewall rule in subscription Azure subscription 1. | Monitor | Monitor | There is not an alert for deleting SQL Server firewall rule in subscription Azure subscription 1. | |
| FAIL | Ensure that an Activity Log Alert exists for Service Health There is no activity log alert for Service Health in subscription Azure subscription 1. | Monitor | Monitor | There is no activity log alert for Service Health in subscription Azure subscription 1. | |
| FAIL | Ensure Diagnostic Setting captures appropriate categories There are no diagnostic settings capturing appropiate categories in subscription Azure subscription 1. | Monitor | Monitor | There are no diagnostic settings capturing appropiate categories in subscription Azure subscription 1. | |
| FAIL | Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs No diagnostic settings found in subscription Azure subscription 1. | Diagnostic Settings | Monitor | No diagnostic settings found in subscription Azure subscription 1. | CCC.AuditLog.CN02.AR01CCC.AuditLog.CN03.AR01CCC.AuditLog.CN03.AR02CCC.AuditLog.CN04.AR01CCC.AuditLog.CN05.AR01CCC.AuditLog.CN06.AR01CCC.AuditLog.CN08.AR01CCC.AuditLog.CN09.AR01CCC.KeyMgmt.CN01.AR01CCC.LB.CN01.AR02CCC.LB.CN06.AR01CCC.LB.CN04.AR01CCC.Logging.CN01.AR01CCC.Logging.CN01.AR02CCC.AuditLog.CN04.AR01CCC.Logging.CN05.AR01CCC.Logging.CN05.AR02CCC.Logging.CN07.AR01CCC.ObjStor.CN06.AR01CCC.Monitor.CN01.AR01CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN07.AR02 |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | NetworkWatcher_southcentralus | Network | Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | NetworkWatcher_centralindia | Network | Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that network flow logs are captured and fed into a central log analytics workspace. Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | NetworkWatcher_westus2 | Network | Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | NetworkWatcher_southcentralus | Network | Network Watcher NetworkWatcher_southcentralus from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | NetworkWatcher_centralindia | Network | Network Watcher NetworkWatcher_centralindia from subscription Azure subscription 1 has no flow logs | |
| FAIL | Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | NetworkWatcher_westus2 | Network | Network Watcher NetworkWatcher_westus2 from subscription Azure subscription 1 has no flow logs | |
| PASS | Ensure that HTTP(S) access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has HTTP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has HTTP internet access restricted. | |
| PASS | Ensure that RDP access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has RDP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has RDP internet access restricted. | |
| PASS | Ensure that SSH access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has SSH internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has SSH internet access restricted. | |
| PASS | Ensure that UDP access from the Internet is evaluated and restricted Security Group nsg-lee8 from subscription Azure subscription 1 has UDP internet access restricted. | nsg-lee8 | Network | Security Group nsg-lee8 from subscription Azure subscription 1 has UDP internet access restricted. | |
| FAIL | Ensure that Network Watcher is 'Enabled' for all locations in the Azure subscription Network Watcher is not enabled for the following locations in subscription 'Azure subscription 1': germanynorth, qatarcentral, newzealandnorth, swedencentral, chilecentral, westeurope, polandcentral, spaincentral, westindia, israelcentral, norwayeast, koreacentral, uaenorth, australiasoutheast, mexicocentral, austriaeast, switzerlandwest, westcentralus, canadacentral, switzerlandnorth, jioindiawest, northeurope, eastus2, australiaeast, southindia, westus3, germanywestcentral, japaneast, ukwest, uaecentral, jioindiacentral, westus, indonesiacentral, canadaeast, brazilsoutheast, centralus, brazilsouth, southafricawest, southafricanorth, australiacentral2, norwaywest, japanwest, francesouth, koreasouth, southeastasia, uksouth, australiacentral, francecentral, eastus, northcentralus, malaysiawest, eastasia, italynorth. | Network Watcher | Network | Network Watcher is not enabled for the following locations in subscription 'Azure subscription 1': germanynorth, qatarcentral, newzealandnorth, swedencentral, chilecentral, westeurope, polandcentral, spaincentral, westindia, israelcentral, norwayeast, koreacentral, uaenorth, australiasoutheast, mexicocentral, austriaeast, switzerlandwest, westcentralus, canadacentral, switzerlandnorth, jioindiawest, northeurope, eastus2, australiaeast, southindia, westus3, germanywestcentral, japaneast, ukwest, uaecentral, jioindiacentral, westus, indonesiacentral, canadaeast, brazilsoutheast, centralus, brazilsouth, southafricawest, southafricanorth, australiacentral2, norwaywest, japanwest, francesouth, koreasouth, southeastasia, uksouth, australiacentral, francecentral, eastus, northcentralus, malaysiawest, eastasia, italynorth. | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-e9rn | PostgreSQL | Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-rk6x | PostgreSQL | Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-rtac | PostgreSQL | Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| PASS | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has allow public access from any Azure service disabled | psql-tumw | PostgreSQL | Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has allow public access from any Azure service disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has log_retention disabled | psql-e9rn | PostgreSQL | Flexible Postgresql server psql-e9rn from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has log_retention disabled | psql-rk6x | PostgreSQL | Flexible Postgresql server psql-rk6x from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has log_retention disabled | psql-rtac | PostgreSQL | Flexible Postgresql server psql-rtac from subscription Azure subscription 1 has log_retention disabled | |
| FAIL | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has log_retention disabled | psql-tumw | PostgreSQL | Flexible Postgresql server psql-tumw from subscription Azure subscription 1 has log_retention disabled |