diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json
index c49dbf93ba44..57b570161b78 100644
--- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json
+++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json
@@ -57,7 +57,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -117,7 +117,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -177,7 +177,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json
index 61264a71df9c..38f8f940f22a 100644
--- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json
+++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json
@@ -57,7 +57,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n- Using Security Center�s automatic provisioning on your subscription(s).
This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
\\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. \\n- Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
\\n- Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
�[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs. \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.
To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
a. Click '+New policy'.
b. In the 'Name' text box, enter a policy name.
c. Assign 'User and groups':
i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
iii. After selecting the users, at the bottom of the list, click 'Select'.
iv. Click 'Done'.
d. Assign 'Cloud apps'
i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
ii. Click 'Done'.
e. Assign 'Access Controls'
i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
ii. Click 'Select'.
f. Enable Policy.
i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:1. Review the list of failed rules.2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
}
],
diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json
index 9f35acc75d85..6eb3a71fba96 100644
--- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json
+++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json
@@ -57,7 +57,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -117,7 +117,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -177,7 +177,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
a. In the 'Access controls' section, multi-factor authentication is granted.
b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as: - The configuration of the operating system
- Application configuration or presence
- Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
- Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
- Click the \\\"Rules\\\" tab.
- If you want to modify a recommended rule's parameters:
- In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
- Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
- If you want to create a new rule:
- Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
- Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
- Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
- Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
- On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
- To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
- On the \\\"Add port configuration\\\" blade, enter the required parameters.
- Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Click 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
a. To assign the NSG to the VM's subnet (recommended):
i. In the Networking page, select the 'Virtual network/subnet'.
ii. Open the \\\"Subnets\\\" menu.
iii. Select the subnet where your VM is deployed.
iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
b. To assign the NSG to the NIC:
i. In the Networking page, select the network interface that's associated with the selected VM.
ii. In the Network interfaces page, select the 'Network security group' menu item.
iii. Select 'Edit' at the top of the page.
iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
- Using Security Center automatic provisioning on your subscription(s).
- This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
- You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
- click on a subscription and enable auto provisioning in the 'data collection' menu item.
- Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
- Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
- '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.
Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.
Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
Requires Kubernetes v1.14.0 or later.
\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:- spec.containers[].resources.limits.cpu
- spec.containers[].resources.limits.memory
After making your changes, redeploy the pod with the new limits.
Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.
\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"- Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
- Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"- Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
- From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
- Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{