ad_guest_user_reviewed_monthlyad_manual_controlapimanagement_service_client_certificate_enabledapimanagement_service_with_virtual_networkapp_configuration_encryption_enabledapp_configuration_private_link_usedapp_configuration_sku_standardapp_service_environment_internal_encryption_enabledapplication_gateway_waf_enabledapplication_insights_linked_to_log_analytics_workspaceappservice_api_app_client_certificates_onappservice_api_app_cors_no_starappservice_api_app_ftps_enabledappservice_api_app_latest_tls_versionappservice_api_app_remote_debugging_disabledappservice_api_app_use_httpsappservice_api_app_uses_managed_identityappservice_authentication_enabledappservice_ftp_deployment_disabledappservice_function_app_authentication_onappservice_function_app_client_certificates_onappservice_function_app_cors_no_starappservice_function_app_ftps_enabledappservice_function_app_latest_http_versionappservice_function_app_latest_java_versionappservice_function_app_latest_python_versionappservice_function_app_latest_tls_versionappservice_function_app_only_https_accessibleappservice_function_app_remote_debugging_disabledappservice_function_app_restrict_public_accesappservice_function_app_uses_managed_identityappservice_plan_minimum_skuappservice_web_app_always_onappservice_web_app_client_certificates_onappservice_web_app_cors_no_starappservice_web_app_diagnostic_logs_enabledappservice_web_app_failed_request_tracing_enabledappservice_web_app_ftps_enabledappservice_web_app_health_check_enabledappservice_web_app_http_logs_enabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_dotnet_framework_versionappservice_web_app_latest_http_versionappservice_web_app_latest_java_versionappservice_web_app_latest_php_versionappservice_web_app_latest_python_versionappservice_web_app_latest_tls_versionappservice_web_app_register_with_active_directory_enabledappservice_web_app_remote_debugging_disabledappservice_web_app_slot_use_httpsappservice_web_app_use_httpsappservice_web_app_use_virtual_service_endpointappservice_web_app_uses_managed_identityappservice_web_app_worker_more_than_onearc_compute_machine_linux_log_analytics_agent_installedarc_compute_machine_windows_log_analytics_agent_installedautomation_account_variable_encryption_enabledbatch_account_encrypted_with_cmkbatch_account_identity_provider_enabledbatch_account_logging_enabledcognitive_account_encrypted_with_cmkcognitive_account_private_link_usedcognitive_account_public_network_access_disabledcognitive_account_restrict_public_accesscognitive_service_local_auth_disabledcompute_disk_access_uses_private_linkcompute_disk_unattached_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmk_and_platform_managedcompute_unattached_disk_encrypted_with_cmkcompute_vm_account_with_password_linuxcompute_vm_and_sacle_set_encryption_at_host_enabledcompute_vm_attached_with_networkcompute_vm_data_and_os_disk_uses_managed_diskcompute_vm_disaster_recovery_enabledcompute_vm_guest_configuration_installedcompute_vm_guest_configuration_installed_linuxcompute_vm_guest_configuration_installed_windowscompute_vm_guest_configuration_with_no_managed_identitycompute_vm_guest_configuration_with_system_assigned_managed_identitycompute_vm_guest_configuration_with_user_and_system_assigned_managed_identitycompute_vm_jit_access_protectedcompute_vm_log_analytics_agent_installedcompute_vm_log_analytics_agent_installed_windowscompute_vm_malware_agent_automatic_upgrade_enabledcompute_vm_malware_agent_installedcompute_vm_max_password_age_70_days_windowscompute_vm_meet_security_baseline_requirements_linuxcompute_vm_meet_security_baseline_requirements_windowscompute_vm_min_password_age_1_day_windowscompute_vm_min_password_length_14_windowscompute_vm_network_traffic_data_collection_linux_agent_installedcompute_vm_network_traffic_data_collection_windows_agent_installedcompute_vm_password_complexity_setting_enabled_windowscompute_vm_passwords_stored_using_reversible_encryption_windowscompute_vm_remote_access_restrictedcompute_vm_remote_access_restricted_all_portscompute_vm_restrict_previous_24_passwords_resuse_windowscompute_vm_restrict_remote_connection_from_accounts_without_password_linuxcompute_vm_scale_set_automatic_upgrade_enabledcompute_vm_scale_set_boot_diagnostics_enabledcompute_vm_scale_set_log_analytics_agent_installedcompute_vm_scale_set_logging_enabledcompute_vm_scale_set_ssh_key_authentication_linuxcompute_vm_scale_set_uses_managed_diskscompute_vm_secure_communication_protocols_configuredcompute_vm_ssh_key_authentication_linuxcompute_vm_system_updates_installedcompute_vm_tcp_udp_access_restricted_internetcompute_vm_uses_azure_resource_managercompute_vm_utilizing_managed_diskcompute_vm_vulnerability_assessment_solution_enabledcompute_vm_windows_defender_exploit_guard_enabledcompute_windows_vm_secure_boot_enabledcontainer_instance_container_group_encrypted_using_cmkcontainer_instance_container_group_identity_provider_enabledcontainer_instance_container_group_in_virtual_networkcontainer_instance_container_group_secured_environment_variablecontainer_registry_admin_user_disabledcontainer_registry_encrypted_with_cmkcontainer_registry_geo_replication_enabledcontainer_registry_public_network_access_disabledcontainer_registry_quarantine_policy_enabledcontainer_registry_restrict_public_accesscontainer_registry_retention_policy_enabledcontainer_registry_trust_policy_enabledcontainer_registry_use_virtual_service_endpointcontainer_registry_uses_private_linkcosmosdb_account_encryption_at_rest_using_cmkcosmosdb_account_key_based_metadata_write_access_disabledcosmosdb_account_uses_aad_and_rbaccosmosdb_account_uses_private_linkcosmosdb_account_virtual_network_filter_enabledcosmosdb_account_with_firewall_rulescosmosdb_use_virtual_service_endpointdata_factory_encrypted_with_cmkdata_factory_public_network_access_disableddata_factory_uses_git_repositorydata_factory_uses_private_linkdatabox_edge_device_double_encryption_enableddatalake_analytics_account_logging_enableddatalake_store_account_encryption_enableddatalake_store_account_logging_enabledeventgrid_domain_identity_provider_enabledeventgrid_domain_private_link_usedeventgrid_domain_restrict_public_accesseventgrid_topic_identity_provider_enabledeventgrid_topic_local_auth_enabledeventgrid_topic_private_link_usedeventhub_namespace_cmk_encryption_enabledeventhub_namespace_logging_enabledeventhub_namespace_private_link_usedeventhub_namespace_use_virtual_service_endpointfrontdoor_waf_enabledhdinsight_cluster_encrypted_at_rest_with_cmkhdinsight_cluster_encryption_at_host_enabledhdinsight_cluster_encryption_in_transit_enabledhealthcare_fhir_azure_api_encrypted_at_rest_with_cmkhealthcare_fhir_uses_private_linkhpc_cache_encrypted_with_cmkiam_conditional_access_mfa_enablediam_conditional_access_mfa_enabled_for_administratorsiam_deprecated_accountiam_deprecated_account_with_owner_rolesiam_external_user_with_owner_roleiam_external_user_with_read_permissioniam_external_user_with_write_permissioniam_global_administrator_max_5iam_no_custom_roleiam_no_custom_subscription_owner_roles_creatediam_subscription_owner_max_3iam_subscription_owner_more_than_1iam_subscriptions_with_custom_roles_no_overly_permissiveiam_user_consent_to_apps_accessing_data_on_their_behalf_disablediam_user_no_built_in_contributor_roleiam_user_not_allowed_to_create_security_groupiam_user_not_allowed_to_create_tenantsiam_user_not_allowed_to_register_applicationiot_hub_logging_enablediot_hub_private_link_usedkeyvault_firewall_enabledkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_managed_hms_logging_enabledkeyvault_managed_hms_purge_protection_enabledkeyvault_purge_protection_enabledkeyvault_rbac_enabledkeyvault_secret_expiration_setkeyvault_soft_delete_enabledkeyvault_vault_private_link_usedkeyvault_vault_public_network_access_disabledkeyvault_vault_recoverablekeyvault_vault_use_virtual_service_endpointkeyvault_with_non_rbac_key_expiration_setkeyvault_with_non_rbac_secret_expiration_setkeyvault_with_rbac_key_expiration_setkeyvault_with_rbac_secret_expiration_setkubernetes_cluster_add_on_azure_policy_enabledkubernetes_cluster_addon_azure_policy_enabledkubernetes_cluster_authorized_ip_range_definedkubernetes_cluster_http_application_routing_disabledkubernetes_cluster_key_vault_secret_rotation_enabledkubernetes_cluster_logging_enabledkubernetes_cluster_max_pod_50kubernetes_cluster_network_plugin_azurekubernetes_cluster_network_policy_enabledkubernetes_cluster_node_restrict_public_accesskubernetes_cluster_os_and_data_disks_encrypted_with_cmkkubernetes_cluster_restrict_public_accesskubernetes_cluster_sku_standardkubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_hostkubernetes_cluster_upgrade_channelkubernetes_cluster_upgraded_with_non_vulnerable_versionkubernetes_instance_rbac_enabledkusto_cluster_disk_encryption_enabledkusto_cluster_double_encryption_enabledkusto_cluster_encrypted_at_rest_with_cmkkusto_cluster_sku_with_slalog_profile_enabled_for_all_subscriptionlogic_app_workflow_logging_enabledmachine_learning_workspace_encrypted_with_cmkmanual_controlmanual_control_hipaamariadb_server_geo_redundant_backup_enabledmariadb_server_private_link_usedmariadb_server_public_network_access_disabledmariadb_server_ssl_enabledmonitor_application_insights_configuredmonitor_diagnostic_settings_captures_proper_categoriesmonitor_log_alert_create_policy_assignmentmonitor_log_alert_create_update_nsgmonitor_log_alert_create_update_nsg_rulemonitor_log_alert_create_update_public_ip_addressmonitor_log_alert_create_update_security_solutionmonitor_log_alert_create_update_sql_servers_firewall_rulemonitor_log_alert_delete_nsgmonitor_log_alert_delete_nsg_rulemonitor_log_alert_delete_policy_assignmentmonitor_log_alert_delete_public_ip_addressmonitor_log_alert_delete_security_solutionmonitor_log_alert_delete_sql_servers_firewall_rulemonitor_log_alert_for_administrative_operationsmonitor_log_alert_sql_firewall_rulemonitor_log_profile_enabled_for_all_categoriesmonitor_log_profile_enabled_for_all_regionsmonitor_log_profile_retention_365_daysmonitor_logs_storage_container_insights_activity_logs_encrypted_with_byokmonitor_logs_storage_container_insights_activity_logs_not_public_accessiblemonitor_logs_storage_container_insights_operational_logs_encrypted_with_byokmonitor_logs_storage_container_insights_operational_logs_not_public_accessiblemssql_managed_instance_encryption_at_rest_using_cmkmssql_managed_instance_vulnerability_assessment_enabledmysql_db_server_geo_redundant_backup_enabledmysql_server_audit_logging_enabledmysql_server_audit_logging_events_connection_setmysql_server_encrypted_at_rest_using_cmkmysql_server_infrastructure_encryption_enabledmysql_server_min_tls_1_2mysql_server_private_link_usedmysql_server_public_network_access_disabledmysql_ssl_enablednetwork_bastion_host_min_1network_ddos_enablednetwork_interface_ip_forwarding_disablednetwork_lb_diagnostics_logs_enablednetwork_lb_no_basic_skunetwork_network_peering_connectednetwork_public_ip_no_basic_skunetwork_security_group_diagnostic_setting_deployednetwork_security_group_https_access_restrictednetwork_security_group_not_configured_gateway_subnetsnetwork_security_group_outbound_access_restrictednetwork_security_group_rdp_access_restrictednetwork_security_group_remote_access_restrictednetwork_security_group_restrict_inbound_icmp_portnetwork_security_group_restrict_inbound_tcp_port_135network_security_group_restrict_inbound_tcp_port_1433network_security_group_restrict_inbound_tcp_port_20network_security_group_restrict_inbound_tcp_port_21network_security_group_restrict_inbound_tcp_port_23network_security_group_restrict_inbound_tcp_port_25network_security_group_restrict_inbound_tcp_port_3306network_security_group_restrict_inbound_tcp_port_4333network_security_group_restrict_inbound_tcp_port_445network_security_group_restrict_inbound_tcp_port_53network_security_group_restrict_inbound_tcp_port_5432network_security_group_restrict_inbound_tcp_port_5500network_security_group_restrict_inbound_tcp_port_5900network_security_group_restrict_inbound_udp_port_137network_security_group_restrict_inbound_udp_port_138network_security_group_restrict_inbound_udp_port_1434network_security_group_restrict_inbound_udp_port_445network_security_group_restrict_inbound_udp_port_53network_security_group_ssh_access_restrictednetwork_security_group_subnet_associatednetwork_security_group_udp_service_restrictednetwork_sg_flowlog_enablednetwork_sg_flowlog_retention_period_greater_than_90network_virtual_network_gateway_no_basic_skunetwork_watcher_enablednetwork_watcher_flow_log_enablednetwork_watcher_flow_log_traffic_analytics_enablednetwork_watcher_in_regions_with_virtual_networkpostgres_db_server_allow_access_to_azure_services_disabledpostgres_db_server_connection_throttling_onpostgres_db_server_geo_redundant_backup_enabledpostgres_db_server_latest_tls_versionpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_duration_onpostgres_db_server_log_retention_days_3postgres_server_private_link_usedpostgres_sql_server_encrypted_at_rest_using_cmkpostgres_sql_ssl_enabledpostgresql_server_infrastructure_encryption_enabledpostgresql_server_public_network_access_disabledrecovery_service_vault_uses_managed_identityrecovery_service_vault_uses_private_linkrecovery_service_vault_uses_private_link_for_backupredis_cache_in_virtual_networkredis_cache_min_tls_1_2redis_cache_no_basic_skuredis_cache_ssl_enabledredis_cache_uses_private_linksearch_service_logging_enabledsearch_service_public_network_access_disabledsearch_service_replica_count_3search_service_uses_managed_identitysearch_service_uses_private_linksearch_service_uses_sku_supporting_private_linksecuritycenter_additional_email_configuredsecuritycenter_asc_default_setting_not_disabledsecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_containerssecuritycenter_azure_defender_on_for_cosmosdbsecuritycenter_azure_defender_on_for_databasesecuritycenter_azure_defender_on_for_dnssecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_opensource_relational_dbsecuritycenter_azure_defender_on_for_resource_managersecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_container_image_scan_enabledsecuritycenter_email_configuredsecuritycenter_mcas_integrationsecuritycenter_notify_alerts_configuredsecuritycenter_pricing_standardsecuritycenter_security_alerts_to_owner_enabledsecuritycenter_wdatp_integrationservicebus_name_space_private_link_usedservicebus_namespace_azure_ad_authentication_enabledservicebus_namespace_logging_enabledservicebus_namespace_no_overly_permissive_network_accessservicebus_premium_namespace_cmk_encryptedservicebus_use_virtual_service_endpointservicefabric_cluster_active_directory_authentication_enabledservicefabric_cluster_protection_level_as_encrypt_and_signsignalr_service_no_free_tier_skusignalr_service_private_link_usedspring_cloud_service_network_injection_enabledsql_database_allow_internet_accesssql_database_long_term_geo_redundant_backup_enabledsql_database_transparent_data_encryption_enabledsql_database_vulnerability_findings_resolvedsql_db_active_directory_admin_configuredsql_db_public_network_access_disabledsql_server_and_databases_va_enabledsql_server_atp_enabledsql_server_auditing_onsql_server_auditing_retention_period_90sql_server_auditing_storage_account_destination_retention_90_dayssql_server_azure_ad_authentication_enabledsql_server_azure_defender_enabledsql_server_tde_protector_cmk_encryptedsql_server_threat_detection_all_enabledsql_server_transparent_data_encryption_enabledsql_server_use_virtual_service_endpointsql_server_uses_private_linksql_server_va_setting_periodic_scan_enabledsql_server_va_setting_reports_notify_adminssql_server_va_setting_scan_reports_configuredstorage_account_blob_containers_public_access_privatestorage_account_blob_service_logging_enabledstorage_account_blobs_logging_enabledstorage_account_block_public_accessstorage_account_containing_vhd_os_disk_cmk_encryptedstorage_account_default_network_access_rule_deniedstorage_account_encryption_at_rest_using_cmkstorage_account_encryption_scopes_encrypted_at_rest_with_cmkstorage_account_geo_redundant_enabledstorage_account_infrastructure_encryption_enabledstorage_account_min_tls_1_2storage_account_queue_services_logging_enabledstorage_account_queues_logging_enabledstorage_account_restrict_network_accessstorage_account_secure_transfer_required_enabledstorage_account_soft_delete_enabledstorage_account_table_service_logging_enabledstorage_account_tables_logging_enabledstorage_account_trusted_microsoft_services_enabledstorage_account_use_virtual_service_endpointstorage_account_uses_azure_resource_managerstorage_account_uses_private_linkstorage_sync_private_link_usedstream_analytics_job_logging_enabledsynapse_workspace_data_exfiltration_protection_enabledsynapse_workspace_encryption_at_rest_using_cmksynapse_workspace_private_link_usedsynapse_workspace_vulnerability_assessment_enabled
Queries in Azure Compliance
The Azure Compliance mod includes 415 queries:
- ad_guest_user_reviewed_monthly
- ad_manual_control
- apimanagement_service_client_certificate_enabled
- apimanagement_service_with_virtual_network
- app_configuration_encryption_enabled
- app_configuration_private_link_used
- app_configuration_sku_standard
- app_service_environment_internal_encryption_enabled
- application_gateway_waf_enabled
- application_insights_linked_to_log_analytics_workspace
- appservice_api_app_client_certificates_on
- appservice_api_app_cors_no_star
- appservice_api_app_ftps_enabled
- appservice_api_app_latest_tls_version
- appservice_api_app_remote_debugging_disabled
- appservice_api_app_use_https
- appservice_api_app_uses_managed_identity
- appservice_authentication_enabled
- appservice_ftp_deployment_disabled
- appservice_function_app_authentication_on
- appservice_function_app_client_certificates_on
- appservice_function_app_cors_no_star
- appservice_function_app_ftps_enabled
- appservice_function_app_latest_http_version
- appservice_function_app_latest_java_version
- appservice_function_app_latest_python_version
- appservice_function_app_latest_tls_version
- appservice_function_app_only_https_accessible
- appservice_function_app_remote_debugging_disabled
- appservice_function_app_restrict_public_acces
- appservice_function_app_uses_managed_identity
- appservice_plan_minimum_sku
- appservice_web_app_always_on
- appservice_web_app_client_certificates_on
- appservice_web_app_cors_no_star
- appservice_web_app_diagnostic_logs_enabled
- appservice_web_app_failed_request_tracing_enabled
- appservice_web_app_ftps_enabled
- appservice_web_app_health_check_enabled
- appservice_web_app_http_logs_enabled
- appservice_web_app_incoming_client_cert_on
- appservice_web_app_latest_dotnet_framework_version
- appservice_web_app_latest_http_version
- appservice_web_app_latest_java_version
- appservice_web_app_latest_php_version
- appservice_web_app_latest_python_version
- appservice_web_app_latest_tls_version
- appservice_web_app_register_with_active_directory_enabled
- appservice_web_app_remote_debugging_disabled
- appservice_web_app_slot_use_https
- appservice_web_app_use_https
- appservice_web_app_use_virtual_service_endpoint
- appservice_web_app_uses_managed_identity
- appservice_web_app_worker_more_than_one
- arc_compute_machine_linux_log_analytics_agent_installed
- arc_compute_machine_windows_log_analytics_agent_installed
- automation_account_variable_encryption_enabled
- batch_account_encrypted_with_cmk
- batch_account_identity_provider_enabled
- batch_account_logging_enabled
- cognitive_account_encrypted_with_cmk
- cognitive_account_private_link_used
- cognitive_account_public_network_access_disabled
- cognitive_account_restrict_public_access
- cognitive_service_local_auth_disabled
- compute_disk_access_uses_private_link
- compute_disk_unattached_encrypted_with_cmk
- compute_os_and_data_disk_encrypted_with_cmk
- compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed
- compute_unattached_disk_encrypted_with_cmk
- compute_vm_account_with_password_linux
- compute_vm_and_sacle_set_encryption_at_host_enabled
- compute_vm_attached_with_network
- compute_vm_data_and_os_disk_uses_managed_disk
- compute_vm_disaster_recovery_enabled
- compute_vm_guest_configuration_installed
- compute_vm_guest_configuration_installed_linux
- compute_vm_guest_configuration_installed_windows
- compute_vm_guest_configuration_with_no_managed_identity
- compute_vm_guest_configuration_with_system_assigned_managed_identity
- compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity
- compute_vm_jit_access_protected
- compute_vm_log_analytics_agent_installed
- compute_vm_log_analytics_agent_installed_windows
- compute_vm_malware_agent_automatic_upgrade_enabled
- compute_vm_malware_agent_installed
- compute_vm_max_password_age_70_days_windows
- compute_vm_meet_security_baseline_requirements_linux
- compute_vm_meet_security_baseline_requirements_windows
- compute_vm_min_password_age_1_day_windows
- compute_vm_min_password_length_14_windows
- compute_vm_network_traffic_data_collection_linux_agent_installed
- compute_vm_network_traffic_data_collection_windows_agent_installed
- compute_vm_password_complexity_setting_enabled_windows
- compute_vm_passwords_stored_using_reversible_encryption_windows
- compute_vm_remote_access_restricted
- compute_vm_remote_access_restricted_all_ports
- compute_vm_restrict_previous_24_passwords_resuse_windows
- compute_vm_restrict_remote_connection_from_accounts_without_password_linux
- compute_vm_scale_set_automatic_upgrade_enabled
- compute_vm_scale_set_boot_diagnostics_enabled
- compute_vm_scale_set_log_analytics_agent_installed
- compute_vm_scale_set_logging_enabled
- compute_vm_scale_set_ssh_key_authentication_linux
- compute_vm_scale_set_uses_managed_disks
- compute_vm_secure_communication_protocols_configured
- compute_vm_ssh_key_authentication_linux
- compute_vm_system_updates_installed
- compute_vm_tcp_udp_access_restricted_internet
- compute_vm_uses_azure_resource_manager
- compute_vm_utilizing_managed_disk
- compute_vm_vulnerability_assessment_solution_enabled
- compute_vm_windows_defender_exploit_guard_enabled
- compute_windows_vm_secure_boot_enabled
- container_instance_container_group_encrypted_using_cmk
- container_instance_container_group_identity_provider_enabled
- container_instance_container_group_in_virtual_network
- container_instance_container_group_secured_environment_variable
- container_registry_admin_user_disabled
- container_registry_encrypted_with_cmk
- container_registry_geo_replication_enabled
- container_registry_public_network_access_disabled
- container_registry_quarantine_policy_enabled
- container_registry_restrict_public_access
- container_registry_retention_policy_enabled
- container_registry_trust_policy_enabled
- container_registry_use_virtual_service_endpoint
- container_registry_uses_private_link
- cosmosdb_account_encryption_at_rest_using_cmk
- cosmosdb_account_key_based_metadata_write_access_disabled
- cosmosdb_account_uses_aad_and_rbac
- cosmosdb_account_uses_private_link
- cosmosdb_account_virtual_network_filter_enabled
- cosmosdb_account_with_firewall_rules
- cosmosdb_use_virtual_service_endpoint
- data_factory_encrypted_with_cmk
- data_factory_public_network_access_disabled
- data_factory_uses_git_repository
- data_factory_uses_private_link
- databox_edge_device_double_encryption_enabled
- datalake_analytics_account_logging_enabled
- datalake_store_account_encryption_enabled
- datalake_store_account_logging_enabled
- eventgrid_domain_identity_provider_enabled
- eventgrid_domain_private_link_used
- eventgrid_domain_restrict_public_access
- eventgrid_topic_identity_provider_enabled
- eventgrid_topic_local_auth_enabled
- eventgrid_topic_private_link_used
- eventhub_namespace_cmk_encryption_enabled
- eventhub_namespace_logging_enabled
- eventhub_namespace_private_link_used
- eventhub_namespace_use_virtual_service_endpoint
- frontdoor_waf_enabled
- hdinsight_cluster_encrypted_at_rest_with_cmk
- hdinsight_cluster_encryption_at_host_enabled
- hdinsight_cluster_encryption_in_transit_enabled
- healthcare_fhir_azure_api_encrypted_at_rest_with_cmk
- healthcare_fhir_uses_private_link
- hpc_cache_encrypted_with_cmk
- iam_conditional_access_mfa_enabled
- iam_conditional_access_mfa_enabled_for_administrators
- iam_deprecated_account
- iam_deprecated_account_with_owner_roles
- iam_external_user_with_owner_role
- iam_external_user_with_read_permission
- iam_external_user_with_write_permission
- iam_global_administrator_max_5
- iam_no_custom_role
- iam_no_custom_subscription_owner_roles_created
- iam_subscription_owner_max_3
- iam_subscription_owner_more_than_1
- iam_subscriptions_with_custom_roles_no_overly_permissive
- iam_user_consent_to_apps_accessing_data_on_their_behalf_disabled
- iam_user_no_built_in_contributor_role
- iam_user_not_allowed_to_create_security_group
- iam_user_not_allowed_to_create_tenants
- iam_user_not_allowed_to_register_application
- iot_hub_logging_enabled
- iot_hub_private_link_used
- keyvault_firewall_enabled
- keyvault_key_expiration_set
- keyvault_logging_enabled
- keyvault_managed_hms_logging_enabled
- keyvault_managed_hms_purge_protection_enabled
- keyvault_purge_protection_enabled
- keyvault_rbac_enabled
- keyvault_secret_expiration_set
- keyvault_soft_delete_enabled
- keyvault_vault_private_link_used
- keyvault_vault_public_network_access_disabled
- keyvault_vault_recoverable
- keyvault_vault_use_virtual_service_endpoint
- keyvault_with_non_rbac_key_expiration_set
- keyvault_with_non_rbac_secret_expiration_set
- keyvault_with_rbac_key_expiration_set
- keyvault_with_rbac_secret_expiration_set
- kubernetes_cluster_add_on_azure_policy_enabled
- kubernetes_cluster_addon_azure_policy_enabled
- kubernetes_cluster_authorized_ip_range_defined
- kubernetes_cluster_http_application_routing_disabled
- kubernetes_cluster_key_vault_secret_rotation_enabled
- kubernetes_cluster_logging_enabled
- kubernetes_cluster_max_pod_50
- kubernetes_cluster_network_plugin_azure
- kubernetes_cluster_network_policy_enabled
- kubernetes_cluster_node_restrict_public_access
- kubernetes_cluster_os_and_data_disks_encrypted_with_cmk
- kubernetes_cluster_restrict_public_access
- kubernetes_cluster_sku_standard
- kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host
- kubernetes_cluster_upgrade_channel
- kubernetes_cluster_upgraded_with_non_vulnerable_version
- kubernetes_instance_rbac_enabled
- kusto_cluster_disk_encryption_enabled
- kusto_cluster_double_encryption_enabled
- kusto_cluster_encrypted_at_rest_with_cmk
- kusto_cluster_sku_with_sla
- log_profile_enabled_for_all_subscription
- logic_app_workflow_logging_enabled
- machine_learning_workspace_encrypted_with_cmk
- manual_control
- manual_control_hipaa
- mariadb_server_geo_redundant_backup_enabled
- mariadb_server_private_link_used
- mariadb_server_public_network_access_disabled
- mariadb_server_ssl_enabled
- monitor_application_insights_configured
- monitor_diagnostic_settings_captures_proper_categories
- monitor_log_alert_create_policy_assignment
- monitor_log_alert_create_update_nsg
- monitor_log_alert_create_update_nsg_rule
- monitor_log_alert_create_update_public_ip_address
- monitor_log_alert_create_update_security_solution
- monitor_log_alert_create_update_sql_servers_firewall_rule
- monitor_log_alert_delete_nsg
- monitor_log_alert_delete_nsg_rule
- monitor_log_alert_delete_policy_assignment
- monitor_log_alert_delete_public_ip_address
- monitor_log_alert_delete_security_solution
- monitor_log_alert_delete_sql_servers_firewall_rule
- monitor_log_alert_for_administrative_operations
- monitor_log_alert_sql_firewall_rule
- monitor_log_profile_enabled_for_all_categories
- monitor_log_profile_enabled_for_all_regions
- monitor_log_profile_retention_365_days
- monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok
- monitor_logs_storage_container_insights_activity_logs_not_public_accessible
- monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok
- monitor_logs_storage_container_insights_operational_logs_not_public_accessible
- mssql_managed_instance_encryption_at_rest_using_cmk
- mssql_managed_instance_vulnerability_assessment_enabled
- mysql_db_server_geo_redundant_backup_enabled
- mysql_server_audit_logging_enabled
- mysql_server_audit_logging_events_connection_set
- mysql_server_encrypted_at_rest_using_cmk
- mysql_server_infrastructure_encryption_enabled
- mysql_server_min_tls_1_2
- mysql_server_private_link_used
- mysql_server_public_network_access_disabled
- mysql_ssl_enabled
- network_bastion_host_min_1
- network_ddos_enabled
- network_interface_ip_forwarding_disabled
- network_lb_diagnostics_logs_enabled
- network_lb_no_basic_sku
- network_network_peering_connected
- network_public_ip_no_basic_sku
- network_security_group_diagnostic_setting_deployed
- network_security_group_https_access_restricted
- network_security_group_not_configured_gateway_subnets
- network_security_group_outbound_access_restricted
- network_security_group_rdp_access_restricted
- network_security_group_remote_access_restricted
- network_security_group_restrict_inbound_icmp_port
- network_security_group_restrict_inbound_tcp_port_135
- network_security_group_restrict_inbound_tcp_port_1433
- network_security_group_restrict_inbound_tcp_port_20
- network_security_group_restrict_inbound_tcp_port_21
- network_security_group_restrict_inbound_tcp_port_23
- network_security_group_restrict_inbound_tcp_port_25
- network_security_group_restrict_inbound_tcp_port_3306
- network_security_group_restrict_inbound_tcp_port_4333
- network_security_group_restrict_inbound_tcp_port_445
- network_security_group_restrict_inbound_tcp_port_53
- network_security_group_restrict_inbound_tcp_port_5432
- network_security_group_restrict_inbound_tcp_port_5500
- network_security_group_restrict_inbound_tcp_port_5900
- network_security_group_restrict_inbound_udp_port_137
- network_security_group_restrict_inbound_udp_port_138
- network_security_group_restrict_inbound_udp_port_1434
- network_security_group_restrict_inbound_udp_port_445
- network_security_group_restrict_inbound_udp_port_53
- network_security_group_ssh_access_restricted
- network_security_group_subnet_associated
- network_security_group_udp_service_restricted
- network_sg_flowlog_enabled
- network_sg_flowlog_retention_period_greater_than_90
- network_virtual_network_gateway_no_basic_sku
- network_watcher_enabled
- network_watcher_flow_log_enabled
- network_watcher_flow_log_traffic_analytics_enabled
- network_watcher_in_regions_with_virtual_network
- postgres_db_server_allow_access_to_azure_services_disabled
- postgres_db_server_connection_throttling_on
- postgres_db_server_geo_redundant_backup_enabled
- postgres_db_server_latest_tls_version
- postgres_db_server_log_checkpoints_on
- postgres_db_server_log_connections_on
- postgres_db_server_log_disconnections_on
- postgres_db_server_log_duration_on
- postgres_db_server_log_retention_days_3
- postgres_server_private_link_used
- postgres_sql_server_encrypted_at_rest_using_cmk
- postgres_sql_ssl_enabled
- postgresql_server_infrastructure_encryption_enabled
- postgresql_server_public_network_access_disabled
- recovery_service_vault_uses_managed_identity
- recovery_service_vault_uses_private_link
- recovery_service_vault_uses_private_link_for_backup
- redis_cache_in_virtual_network
- redis_cache_min_tls_1_2
- redis_cache_no_basic_sku
- redis_cache_ssl_enabled
- redis_cache_uses_private_link
- search_service_logging_enabled
- search_service_public_network_access_disabled
- search_service_replica_count_3
- search_service_uses_managed_identity
- search_service_uses_private_link
- search_service_uses_sku_supporting_private_link
- securitycenter_additional_email_configured
- securitycenter_asc_default_setting_not_disabled
- securitycenter_automatic_provisioning_monitoring_agent_on
- securitycenter_azure_defender_on_for_appservice
- securitycenter_azure_defender_on_for_containerregistry
- securitycenter_azure_defender_on_for_containers
- securitycenter_azure_defender_on_for_cosmosdb
- securitycenter_azure_defender_on_for_database
- securitycenter_azure_defender_on_for_dns
- securitycenter_azure_defender_on_for_k8s
- securitycenter_azure_defender_on_for_keyvault
- securitycenter_azure_defender_on_for_opensource_relational_db
- securitycenter_azure_defender_on_for_resource_manager
- securitycenter_azure_defender_on_for_server
- securitycenter_azure_defender_on_for_sqldb
- securitycenter_azure_defender_on_for_sqlservervm
- securitycenter_azure_defender_on_for_storage
- securitycenter_container_image_scan_enabled
- securitycenter_email_configured
- securitycenter_mcas_integration
- securitycenter_notify_alerts_configured
- securitycenter_pricing_standard
- securitycenter_security_alerts_to_owner_enabled
- securitycenter_wdatp_integration
- servicebus_name_space_private_link_used
- servicebus_namespace_azure_ad_authentication_enabled
- servicebus_namespace_logging_enabled
- servicebus_namespace_no_overly_permissive_network_access
- servicebus_premium_namespace_cmk_encrypted
- servicebus_use_virtual_service_endpoint
- servicefabric_cluster_active_directory_authentication_enabled
- servicefabric_cluster_protection_level_as_encrypt_and_sign
- signalr_service_no_free_tier_sku
- signalr_service_private_link_used
- spring_cloud_service_network_injection_enabled
- sql_database_allow_internet_access
- sql_database_long_term_geo_redundant_backup_enabled
- sql_database_transparent_data_encryption_enabled
- sql_database_vulnerability_findings_resolved
- sql_db_active_directory_admin_configured
- sql_db_public_network_access_disabled
- sql_server_and_databases_va_enabled
- sql_server_atp_enabled
- sql_server_auditing_on
- sql_server_auditing_retention_period_90
- sql_server_auditing_storage_account_destination_retention_90_days
- sql_server_azure_ad_authentication_enabled
- sql_server_azure_defender_enabled
- sql_server_tde_protector_cmk_encrypted
- sql_server_threat_detection_all_enabled
- sql_server_transparent_data_encryption_enabled
- sql_server_use_virtual_service_endpoint
- sql_server_uses_private_link
- sql_server_va_setting_periodic_scan_enabled
- sql_server_va_setting_reports_notify_admins
- sql_server_va_setting_scan_reports_configured
- storage_account_blob_containers_public_access_private
- storage_account_blob_service_logging_enabled
- storage_account_blobs_logging_enabled
- storage_account_block_public_access
- storage_account_containing_vhd_os_disk_cmk_encrypted
- storage_account_default_network_access_rule_denied
- storage_account_encryption_at_rest_using_cmk
- storage_account_encryption_scopes_encrypted_at_rest_with_cmk
- storage_account_geo_redundant_enabled
- storage_account_infrastructure_encryption_enabled
- storage_account_min_tls_1_2
- storage_account_queue_services_logging_enabled
- storage_account_queues_logging_enabled
- storage_account_restrict_network_access
- storage_account_secure_transfer_required_enabled
- storage_account_soft_delete_enabled
- storage_account_table_service_logging_enabled
- storage_account_tables_logging_enabled
- storage_account_trusted_microsoft_services_enabled
- storage_account_use_virtual_service_endpoint
- storage_account_uses_azure_resource_manager
- storage_account_uses_private_link
- storage_sync_private_link_used
- stream_analytics_job_logging_enabled
- synapse_workspace_data_exfiltration_protection_enabled
- synapse_workspace_encryption_at_rest_using_cmk
- synapse_workspace_private_link_used
- synapse_workspace_vulnerability_assessment_enabled