High Alerts for Azure
Access to App Services Should Be Restricted
Access to Storage Accounts with Firewall and Virtual Network Configurations Should be Restricted
Adaptive Application Controls for Defining Safe Applications Should be Enabled on your Machines
Adaptive Network Hardening Recommendations Should Be Applied on Internet Facing Virtual Machines
All Network Ports Should Be Restricted on Network Security Groups Associated to Your Virtual Machine
Allowlist Rules in your Adaptive Application Control Policy Should be Updated
An Azure Active Directory Administrator Should Be Provisioned for SQL Servers
Authentication to Linux Machines Should Require SSH Keys
Automation Account Variables Should be Encrypted
Azure Arc Enabled Kubernetes Clusters Should Have Azure Defender’s Extension Installed
Azure DDoS Protection Standard Should Be Enabled
Azure Defender for XYZ Should be Enabled
Azure Policy Add-on for Kubernetes Should be Installed and Enabled on Your Clusters
Container Images Should be Deployed from Trusted Registries Only
Container Registries Should Not Allow Unrestricted Network Access
Container Registries Should Use Private Link
Deprecated Accounts Should Be Removed From Your Subscription
Deprecated Accounts With Owner Permissions Should Be Removed From Your Subscription
Diagnostic Logs in XYZ Should be Enabled
Email Notification for High Severity Alerts Should Be Enabled
Email Notification to Subscription Owner for High Severity Alerts Should be Enabled
Endpoint Protection Health Failures/Issues Should be Resolved on your Machines
Enforce SSL Connection Should Be Enabled for MySQL Database Servers
Enforce SSL Connection Should be Enabled for PostgreSQL Database Servers
External Accounts With XYZ Permissions Should Be Removed From Your Subscription
File Integrity Monitoring Should be Enabled on Servers
Firewall Should be Enabled on Key Vault
FTPS Should be Required in your Web/Function/API App
Identical Authentication Credentials
Install endpoint protection solution on machines/virtual machines
Internet-Facing Virtual Machines Should Be Protected With Network Security Groups
IoT Devices - Auditd Process Stopped Sending Events
IoT Devices - Open Ports on Device
IoT Devices - Operating System Baseline Validation Failure
IoT Devices - Permissive Firewall Policy in One of the Chains Was Found
IoT Devices - Permissive Firewall Rule in the Input Chain Was Found
IoT Devices - Permissive Firewall Rule in the Output Chain Was Found
IoT Devices - TLS Cipher Suite Upgrade Needed
IP Filter Rule Large IP Range
Java Should Be Updated to the Latest Version for Your App
Key Vault Keys Should Have an Expiration Date
Key Vault Secrets Should Have an Expiration Date
Key Vaults Should Have Soft Delete Enabled
Kubernetes API Server Should Be Configured With Restricted Access
Kubernetes Clusters Should Be Accessible Only Over HTTPS
Kubernetes Clusters Should Disable Automounting API Credentials
Kubernetes Clusters Should Not Grant CAPSYSADMIN Security Capabilities
Least Privileged Linux Capabilities Should Be Enforced for Containers
Log Analytics Agent Should be Installed on XYZ
Managed Identity Should be Used in Your Web App/Function App
Management Ports of Virtual Machines Should be Protected with Just-In-Time Network Access Control
Management Ports Should Be Closed on Your Virtual Machines
MFA Should be Enabled on Accounts with Owner/Read/Write Permissions on your Subscription
Monitoring Agent Should Be Installed on Your Machines
Only Secure Connections to Your Redis Cache Should Be Enabled
Overriding or Disabling of Containers AppArmor Profile Should Be Restricted
Pod Security Policies Should be Defined on Kubernetes Services (Deprecated)
Pod Security Policies Should Be Defined to Reduce the Attack Vector by Removing Unnecessary Application Privileges
Private Endpoint Should be Configured for Key Vault
Privileged Containers Should be Avoided
Role-Based Access Control Should Be Used on Kubernetes Services
Running Containers as Root User Should be Avoided
Secure Transfer to Storage Accounts Should be Enabled
Service Fabric Clusters should Have the ClusterProtectionLevel Property Set to EncryptAndSign
Service Fabric Clusters Should Only Use Azure Active Directory for Client Authentication
Services Should Listen on Allowed Ports Only
SQL Databases Should Have Vulnerability Findings Resolved
SQL Servers on Machines Should Have Vulnerability Findings Resolved
SSH Access to the Internet should be blocked
Storage Accounts Should Restrict Network Access Using Virtual Network Rules
Subnets Should Be Associated With a Network Security Group
Subscriptions Should Have a Contact Email Address for Security Issues
System Updates on Virtual Machine Scale Sets Should be Installed
System updates should be installed on your machines
There should be more than one owner assigned to your subscription
The Rules for Web Applications on IaaS NSGs Should be Hardened
TLS should be Updated to the Latest Version for Your App
Usage of Host Networking and Ports Should be Restricted
Usage of Pod Hostpath Volume Mounts Should Be Restricted to a Known List to Restrict Node Access From Compromised Containers
Virtual Machines should be Migrated to new Azure Resource Manager
Virtual Networks Should be Protected by Azure Firewall
Vulnerabilities in Azure Container Registry Images Should Be Remediated (Powered by Qualys)
Vulnerabilities in Security Configuration on your Machines Should be Remediated
Vulnerability Assessment Should Be Enabled on Your SQL Managed Instances
Vulnerability Assessment Should Be Enabled on Your SQL Servers
Web Application Should Only be Accessible Over HTTPS
Web/Function Application Should Only be Accessible Over HTTPS
Windows Defender Exploit Guard Should be Enabled on Your Machines
Windows Web Servers Should be Configured to Use Secure Communication Protocols
, multiple selections available,